Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Guides creation and review of GDPR Article 28(3) data processing agreements, covering eight mandatory clauses, 2021 SCC references, and processor compliance checklist.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin gdpr-compliance-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/gdpr-compliance-skills:gdpr-dpa-art28The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Article 28(3) requires that processing by a processor is governed by a contract or other legal act that is binding on the processor and sets out specific mandatory elements. This skill details all eight mandatory clauses, provides a compliance checklist, and references the 2021 EU Standard Contractual Clauses for controller-to-processor transfers.
Guides creation and review of GDPR Article 28(3) data processing agreements, covering eight mandatory clauses, 2021 SCC references, and processor compliance checklist.
Drafts and reviews DPAs under LGPD Art. 39. Automates vendor compliance sheets in .lgpd/vendors/. Use when onboarding third-party services or updating clauses.
Reviews a Data Processing Agreement against a DPA playbook, auto-detecting whether you are processor or controller and applying the correct workflow.
Share bugs, ideas, or general feedback.
Article 28(3) requires that processing by a processor is governed by a contract or other legal act that is binding on the processor and sets out specific mandatory elements. This skill details all eight mandatory clauses, provides a compliance checklist, and references the 2021 EU Standard Contractual Clauses for controller-to-processor transfers.
The DPA must specify the subject-matter of the processing (what processing is being carried out), the duration (aligned with the service contract term), the nature of the processing (collection, storage, analysis, deletion), and the purpose of the processing.
The DPA must list the specific categories of personal data being processed (names, email addresses, financial data, health data, etc.).
The DPA must identify which data subjects are affected (employees, customers, website visitors, patients, etc.).
The DPA must set out the controller's documented instructions to the processor, covering what the processor is authorised to do with the data.
(a) Documented instructions: The processor shall process personal data only on documented instructions from the controller, including with regard to transfers to third countries, unless required to do so by EU or Member State law — in which case the processor must inform the controller before processing (unless the law prohibits such notification).
(b) Confidentiality: The processor shall ensure that persons authorised to process the personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Security measures: The processor shall take all measures required pursuant to Article 32 (security of processing).
(d) Sub-processors: The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor must inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object (Art. 28(2) and (4)).
(e) Assistance with data subject rights: The processor shall assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to data subject requests (Art. 15-22).
(f) Assistance with GDPR obligations: The processor shall assist the controller in ensuring compliance with Articles 32-36 (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available to the processor.
(g) Data return or deletion: At the choice of the controller, the processor shall delete or return all personal data after the end of the provision of processing services, and delete existing copies unless EU or Member State law requires storage.
(h) Audit and inspection: The processor shall make available to the controller all information necessary to demonstrate compliance with Art. 28 obligations, and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
If the processor or any sub-processor transfers personal data outside the EEA, appropriate safeguards must be in place (SCCs, BCRs, adequacy decision, or derogation).
The processor must impose the same data protection obligations in the sub-processing contract. The initial processor remains fully liable to the controller for the sub-processor's performance (Art. 28(4)).
The contract must be in writing, including in electronic form (Art. 28(9)).
| # | Requirement | Art. Reference | Present? |
|---|---|---|---|
| 1 | Subject-matter and duration specified | Art. 28(3) | |
| 2 | Nature and purpose of processing defined | Art. 28(3) | |
| 3 | Types of personal data listed | Art. 28(3) | |
| 4 | Categories of data subjects identified | Art. 28(3) | |
| 5 | Processor acts only on documented instructions | Art. 28(3)(a) | |
| 6 | Notification if law requires processing beyond instructions | Art. 28(3)(a) | |
| 7 | Confidentiality commitment for authorised personnel | Art. 28(3)(b) | |
| 8 | Art. 32 security measures implemented | Art. 28(3)(c) | |
| 9 | Sub-processor authorisation mechanism specified | Art. 28(3)(d), 28(2) | |
| 10 | Sub-processor change notification procedure | Art. 28(4) | |
| 11 | Controller objection right to new sub-processors | Art. 28(2) | |
| 12 | Same obligations imposed on sub-processors | Art. 28(4) | |
| 13 | Assistance with data subject rights requests | Art. 28(3)(e) | |
| 14 | Assistance with Art. 32-36 obligations | Art. 28(3)(f) | |
| 15 | Data return or deletion upon contract end | Art. 28(3)(g) | |
| 16 | Audit and inspection rights for controller | Art. 28(3)(h) | |
| 17 | Information to demonstrate compliance | Art. 28(3)(h) | |
| 18 | International transfer safeguards (if applicable) | Art. 28(3), Ch. V | |
| 19 | Written form (including electronic) | Art. 28(9) | |
| 20 | Processor breach notification to controller | Art. 33(2) |
Commission Implementing Decision (EU) 2021/914 of 4 June 2021 established new SCCs that include a Module Two (Controller to Processor) and Module Three (Processor to Processor) set. These SCCs can serve as the DPA or can supplement an existing DPA for international transfers. Key clauses in the controller-to-processor module: