DOMAIN:PRIVACY:DATA_PROCESSING_AGREEMENTS¶

OWNER: julian
ALSO_USED_BY: aimee, eric, victoria
UPDATED: 2026-03-26
SCOPE: DPA requirements and international data transfer mechanisms

OVERVIEW¶

Every time GE or a client uses a third-party processor for personal data,
a Data Processing Agreement (DPA) is required under GDPR Art. 28.
Every time personal data leaves the EEA, a transfer mechanism is required.
Getting DPAs wrong is one of the most common GDPR violations.

FINE_EXAMPLE: Advanced Computer Software — GBP 3.1M — first fine on a data processor (no MFA, no vuln scanning).

WHEN A DPA IS REQUIRED¶

ALWAYS when a controller engages a processor to process personal data.
ALWAYS when a processor engages a sub-processor.

CONTROLLER: determines purposes and means of processing.
PROCESSOR: processes personal data on behalf of controller.
SUB-PROCESSOR: processor engaged by another processor.

GE's ROLES¶

GE_AS_PROCESSOR: when GE builds/operates a system handling client's customer data
GE_AS_CONTROLLER: when GE processes data for its own purposes (employee data, marketing)
GE_AS_SUB-PROCESSOR: when GE uses cloud services (AWS, Vercel, etc.) under client's DPA

MANDATORY DPA CONTENTS (Art. 28(3))¶

Every DPA MUST include:

SUBJECT_MATTER: description of processing (what data, whose data, what operations)
DURATION: how long processing lasts
NATURE_AND_PURPOSE: why the data is being processed
TYPE_OF_DATA: categories of personal data
CATEGORIES_OF_SUBJECTS: whose data (customers, employees, website visitors)
INSTRUCTIONS: processor acts only on documented instructions of controller
CONFIDENTIALITY: persons authorised to process commit to confidentiality
SECURITY: appropriate technical and organisational measures (Art. 32)
SUB-PROCESSING: conditions for engaging sub-processors (see below)
DSR_ASSISTANCE: processor assists controller in fulfilling data subject rights
DELETION_OR_RETURN: delete or return all data at end of processing
AUDIT_RIGHTS: controller can audit or have audited processor's compliance
BREACH_NOTIFICATION: processor notifies controller without undue delay of personal data breach
DPIA_ASSISTANCE: processor assists with DPIAs where relevant
INTERNATIONAL_TRANSFERS: conditions for transfers outside EEA

OPTIONAL BUT RECOMMENDED¶

liability caps and indemnification
insurance requirements
specific technical measures (encryption standards, access controls)
incident response SLAs (notification within specific hours)
data localisation commitments (if required)

SUB-PROCESSOR MANAGEMENT¶

AUTHORISATION MODELS (Art. 28(2))¶

PRIOR_SPECIFIC: controller approves each sub-processor individually before engagement
GENERAL: controller gives general written authorisation — processor must inform of changes
IF_GENERAL: controller has right to object to new/replacement sub-processors

OBLIGATIONS¶

PROCESSOR MUST:
CHECK: impose same data protection obligations as in DPA on all sub-processors
CHECK: maintain updated list of sub-processors (accessible to controller)
CHECK: notify controller of intended changes to sub-processors
CHECK: give controller opportunity to object
CHECK: remain fully liable for sub-processor's compliance failures

PRACTICAL IMPLEMENTATION¶

MAINTAIN: sub-processor register per client contract
UPDATE: when adding/changing cloud services, analytics tools, support platforms
NOTIFY: email notification to controller (typically 30 days before change)
OBJECTION_PROCESS: define in DPA what happens if controller objects (typically: discuss, find alternative, or terminate)

COMMON SUB-PROCESSORS FOR GE¶

CLOUD: UpCloud (FI, PRIMARY), Hetzner (DE), OVH (FR). AWS/Google Cloud/Azure only if client requires (US-based — sovereignty risk). CDN: bunny.net (SI, PRIMARY). Cloudflare as secondary (US-based — sovereignty risk). EMAIL: Brevo (FR, PRIMARY), Mailjet (FR). Postmark, SendGrid, AWS SES only if client requires (US-based — sovereignty risk). MONITORING: Self-hosted Grafana/Prometheus (PRIMARY). Sentry (self-hostable). Datadog only if client requires (US-based — sovereignty risk). PAYMENTS: Mollie (NL, PRIMARY). Stripe only if client requires international (US-based — sovereignty risk). AUTH: Keycloak (self-hosted, PRIMARY). Auth0, Clerk only if client requires (US-based — sovereignty risk). SEARCH: Meilisearch (FR, PRIMARY — self-hosted). Algolia only if client requires (US-based — sovereignty risk).

ACTION: maintain master sub-processor list. Review quarterly.

STANDARD CONTRACTUAL CLAUSES (SCCs)¶

TWO TYPES (both published Jun 4, 2021)¶

1. TRANSFER SCCs (Implementing Decision 2021/914)¶

PURPOSE: mechanism for international data transfers to third countries
MANDATORY: when transferring personal data outside EEA to country without adequacy decision
MODULAR_APPROACH: four modules covering all transfer scenarios

MODULE_1: Controller to Controller (C2C)
MODULE_2: Controller to Processor (C2P) — most common for cloud services
MODULE_3: Processor to Processor (P2P) — sub-processor chains
MODULE_4: Processor to Controller (C2P reverse — rare)

2. ART. 28 SCCs (Implementing Decision 2021/915)¶

PURPOSE: optional standard DPA template for controller-processor relationships within EU
OPTIONAL: not mandatory — any DPA meeting Art. 28 requirements is valid
NOTE: Modules 2 and 3 of Transfer SCCs include Art. 28 requirements — no separate DPA needed if using Transfer SCCs

KEY RULES¶

ALL agreements since Sep 27, 2021 MUST use new SCCs (old 2010/2004 versions invalid).
Transfer SCCs CANNOT be modified (core clauses) — only completed (annexes).
ADDITIONAL clauses permitted IF they do not contradict SCCs or undermine data subject rights.

DATA TRANSFER MECHANISMS POST-SCHREMS II¶

BACKGROUND¶

CJEU Schrems II (Jul 16, 2020): invalidated EU-US Privacy Shield.
CORE_ISSUE: US surveillance laws (FISA 702, EO 12333) may compel access to EU personal data.
RESULT: all transfers to US (and other non-adequate countries) require enhanced safeguards.

CURRENT MECHANISMS (ranked by preference)¶

1. ADEQUACY DECISIONS (Art. 45)¶

EASIEST: Commission has determined adequate level of protection — transfer freely.
NO additional safeguards needed.

CURRENT ADEQUATE COUNTRIES (as of Mar 2026):
- US (Data Privacy Framework — DPF) — since Jul 10, 2023
- UK — since Jun 28, 2021
- Japan — since Jan 23, 2019
- South Korea — since Dec 17, 2022
- Canada (commercial organisations) — since Dec 20, 2001
- Switzerland, Israel, Argentina, New Zealand, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey

DPF_WARNING: under threat.
- NOYB announced intent to challenge before CJEU ("Schrems III")
- Lack of PCLOB quorum raises oversight concerns
- Uber fined EUR 290M for inadequate US transfer safeguards pre-DPF
IF_INVALIDATED: revert to SCCs with enhanced supplementary measures.

2. STANDARD CONTRACTUAL CLAUSES + TIA (Art. 46(2)(c))¶

WHEN: no adequacy decision for destination country
REQUIREMENT: SCCs ALONE are not enough (Schrems II)
MUST also conduct Transfer Impact Assessment (TIA):
- assess whether destination country laws could compel disclosure
- evaluate specific circumstances of transfer
- determine if additional safeguards needed

TIA_GUIDANCE: CNIL published detailed TIA methodology Jan 2025.

3. BINDING CORPORATE RULES (Art. 47)¶

WHEN: intra-group international transfers (multinational companies)
APPROVAL: by lead supervisory authority (lengthy process — 12-18 months)
USE_FOR: large enterprises with multiple entities in non-adequate countries
NOT_PRACTICAL_FOR: GE or most SME clients

4. ART. 49 DEROGATIONS (narrow exceptions)¶

EXPLICIT_CONSENT: data subject informed of risks and consents
CONTRACT_NECESSITY: transfer necessary for performance of contract with data subject
IMPORTANT_PUBLIC_INTEREST: recognised in EU or Member State law
LEGAL_CLAIMS: necessary for establishment, exercise, or defence of claims
VITAL_INTERESTS: necessary to protect life
PUBLIC_REGISTER: transfer from register open to public

WARNING: derogations must be interpreted strictly — not a basis for systematic transfers.
EDPB: Art. 49 derogations are "exceptions to the principle that personal data may only be transferred on the basis of adequate safeguards."

TRANSFER IMPACT ASSESSMENT (TIA)¶

WHEN REQUIRED¶

ALWAYS when using SCCs as transfer mechanism (any module).
NOT required for adequacy decision transfers (but advisable as contingency).

TIA METHODOLOGY¶

STEP_1: identify transfer — what data, to whom, to where, for what purpose
STEP_2: verify transfer tool — which SCC module applies
STEP_3: assess destination country law — surveillance laws, government access, rule of law
STEP_4: assess practical experience — actual government access requests to recipient
STEP_5: identify supplementary measures — technical, organisational, contractual
STEP_6: document assessment and conclusion
STEP_7: re-evaluate at appropriate intervals (at minimum annually)

SUPPLEMENTARY MEASURES¶

TECHNICAL (strongest):
- encryption in transit and at rest with EU-held keys
- pseudonymisation before transfer (mapping kept in EU)
- split processing (sensitive elements processed in EU only)

ORGANISATIONAL:
- internal policies limiting government access disclosure
- transparency reports on government requests
- data minimisation for transferred data

CONTRACTUAL:
- notification obligation if recipient receives government access request
- commitment to challenge disproportionate requests
- audit rights

HIGH-RISK DESTINATIONS¶

COUNTRIES requiring significant supplementary measures:
- China (PIPL + national security laws)
- Russia (Federal Law 242-FZ + FSB access)
- India (proposed Digital Personal Data Protection Act)
- US (without DPF certification) — FISA 702 risk

PRACTICAL DPA MANAGEMENT¶

DPA INVENTORY¶

MAINTAIN: register of all DPAs (both where GE is controller and processor)
INCLUDE: parties, date, scope, sub-processors, transfer mechanisms, review date
REVIEW: annually or when material changes occur

VENDOR DPA REVIEW CHECKLIST¶

BEFORE signing vendor DPA:
CHECK: Art. 28(3) requirements all present
CHECK: sub-processor notification mechanism clear
CHECK: audit rights meaningful (not just self-certification)
CHECK: breach notification timeline specified (ideally <48h, max 72h)
CHECK: data deletion/return at termination clearly specified
CHECK: international transfers covered with appropriate mechanism
CHECK: liability allocation reasonable
CHECK: insurance requirements met

COMMON VENDOR DPA ISSUES¶

TRAP: vendor DPA says "deletion within 90 days of termination" — may violate client's need for immediate deletion.
TRAP: vendor reserves right to use data for "service improvement" — may exceed controller's instructions.
TRAP: sub-processor list buried in constantly-changing URL — no notification mechanism.
TRAP: audit right limited to "once per year with 60 days notice" — may be insufficient for incident response.
TRAP: vendor DPA references US law as governing law — problematic for EU enforcement.

PROPOSED_CHANGES:
- EDPB Opinion 22/2024: increased documentation and auditing expectations for processors
- Potential streamlining of DPA requirements for SMEs
- No fundamental changes to Art. 28 requirements expected

TIMELINE: 2027-2028 formal proposals, 2031+ implementation.
ACTION: no immediate changes needed — maintain current Art. 28 compliance.

CHECKLIST FOR ERIC¶

CLIENT_ONBOARDING:
CHECK: determine GE's role (controller, processor, sub-processor)
CHECK: DPA signed before any personal data processing begins
CHECK: sub-processor list provided to client (if GE is processor)
CHECK: international transfers identified and mechanism confirmed
CHECK: TIA completed (if SCCs used)

ONGOING:
CHECK: sub-processor changes notified to controllers
CHECK: DPA inventory updated when vendors change
CHECK: TIA reviewed annually
CHECK: DPF status monitored (Schrems III risk)

READ_ALSO: domains/privacy/index.md, domains/privacy/gdpr-implementation.md, domains/eu-regulation/contract-law.md