We use cookies to ensure that we give you the best experience on our website. Cookies enable us to provide you core functionalities such as security, network management and accessibility. They improve usability and performance through various features such as language recognition, search results and thereby improve what we offer to you.

For more information, please visit our Privacy Policy

GDPR VENDOR MANAGEMENT: 8 CRITICAL CLAUSES

GDPR Vendor Management: 8 Critical Clauses
06 May

GDPR Vendor Management: 8 Critical Clauses

244 | CIPP-E Preparation | CIPP/E gdpr Article 28 processor obligations vendor management DMA

The European Commission's first DMA review landed on 30 April 2026 and the cloud headlines wrote themselves. AWS and Microsoft Azure are under formal market investigation; AI services may be designated as virtual assistant core platform services; competition law is moving deeper into the cloud. Useful background for your work. Largely irrelevant for the GDPR vendor management questions on your CIPP/E exam.

The exam still tests Article 28. The exam still tests Article 32. Knowing the difference between competition law on cloud providers and data protection law on controllers and processors is the single most reliable way to navigate the cloud-flavoured scenarios you will see on the paper.

The DMA review made headlines. The exam did not change.

The DMA is competition regulation; the GDPR is data protection regulation. They sit on different legal bases and pursue different objectives. The DMA polices market power, gatekeeper conduct and contestability. Recent reporting on the review, on Apple's compliance disputes and on AI virtual assistants as a possible core platform service is all interesting; none of it touches your duties as a GDPR controller.

The Body of Knowledge (the IAPP's published list of every topic the exam can test, organised into five CIPP/E domains) anchors GDPR vendor management in II.A.4 (controller and processor concepts), II.B.3 (vendor management), II.B.4 (sharing personal data) and V.D.1 (cloud computing compliance). The DMA review does not feature in that list.

GDPR vendor management: what Article 28 actually requires

Article 28 of the GDPR does two things. It sets a quality threshold for choosing a processor and it dictates the contractual terms.

Mandatory contract content

The contract or other binding legal act must set out the subject matter and duration of processing, its nature and purpose, the type of personal data and categories of data subject, plus the controller's rights and obligations. This is the descriptive backbone. A processor agreement that does not specify these elements is non-compliant on its face, regardless of how sophisticated the rest of the document looks.

The eight processor obligations

Article 28(3) sets eight specific obligations the processor must accept by contract:

  • process only on documented controller instructions;
  • ensure confidentiality of authorised personnel;
  • implement appropriate Article 32 security measures;
  • engage sub-processors only with controller authorisation;
  • assist the controller in responding to data-subject requests;
  • assist with Articles 32 to 36 obligations (security, breach notification, DPIA, prior consultation);
  • delete or return personal data at the end of processing;
  • make available all information needed to demonstrate compliance and allow audits.

These eight clauses define the operational core of GDPR vendor management, and EDPB Opinion 22/2024 pushes the same logic down through processing chains. The exam will test every link.

GDPR vendor management and "sufficient guarantees"

Article 28(1) requires the controller to use only processors providing "sufficient guarantees" of appropriate technical and organisational measures. Article 32 specifies what those measures must achieve: a level of security appropriate to the risk, taking the state of the art into account.

In practice this means evidence: certifications, audit reports, access-control documentation, incident-response track record, supplier security questionnaires and demonstrable contractual arrangements. "We use a market-leading provider" is not a sufficient guarantee. Documented assessment is. Domain V.D.1 cloud-computing questions consistently turn on whether the controller has done this assessment, not whether the cloud provider is famous.

Where DMA touches GDPR vendor management (and where it does not)

The DMA changes the negotiation environment, not the data-protection contract. Designated gatekeepers face contestability, switching, data-portability and interoperability obligations. If AWS or Microsoft Azure is formally designated, your migration leverage improves and exit clauses become more enforceable in commercial reality. None of this replaces Article 28. None of it weakens the "sufficient guarantees" test. None of it removes the requirement that you, the controller, document the eight processor obligations in writing and test them throughout the relationship.

If your processor sits outside the EEA, Chapter V transfer obligations stack on top of the Article 28 contract. III.D.4 standard contractual clauses and III.D.7 transfer impact assessments, post-Schrems II, still apply with the EDPB's supplementary measures recommendations governing the assessment. A market-power shift does not collapse a jurisdictional one. The transfer regime is independent of competition designation.

Two practice questions

A controller in Lyon engages a processor headquartered in Dublin for SaaS payroll. The contract recites the eight Article 28(3) obligations, the controller has an audit report and the processor refuses to identify its sub-processors. Compliant or non-compliant? Non-compliant. Article 28(2) requires sub-processor authorisation, which presupposes identification.

A multinational deploys an AI customer-service tool from a US gatekeeper that has just been designated under the DMA. Switching costs have collapsed and a new contract is on the table. Does the new commercial position change the controller's TIA obligations? No. The DMA designation has no effect on the Schrems II analysis. The TIA, the SCCs and the supplementary measures assessment remain the controller's responsibility under Chapter V.

Reset your GDPR vendor management revision

Two questions to take into your next GDPR vendor management study session: which of the eight Article 28(3) obligations does your example contract actually evidence, and where does your TIA documentation live for non-EEA processors? If either answer is hesitant, that is exactly the gap a scenario question will exploit.

The CIPP/E study path on 22academy.com/study walks through Article 28, Article 32 and Chapter V in sequence; that order is also the order the exam tests them. The PSG CIPP/E study guide maps the same path against your remaining weeks.

Share this Post

Exam Question Masterclass

Exam Question Masterclass

Think Like an Examiner!

BOOK NOW!

Ready to kick-start your career?

GET STARTED NOW

Categories

About The Blog

Stay up to date with the latest news, background articles, and tips for your study.

Our latest video

22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.