pia-vendor-processing
Installation
SKILL.md
Privacy Impact Assessment for Vendor Processing
Overview
When a controller engages a processor (vendor) to process personal data on its behalf, GDPR Article 28 imposes specific obligations on the controller to ensure that the processor provides sufficient guarantees to implement appropriate technical and organisational measures. The EDPB has repeatedly emphasized that the controller remains accountable for the processing regardless of delegation to a vendor. This skill provides a structured PIA methodology for assessing and managing the privacy risks of vendor data processing arrangements.
Regulatory Framework
GDPR Article 28 — Processor Obligations
| Requirement | Description |
|---|---|
| Art. 28(1) | Controller shall use only processors providing sufficient guarantees |
| Art. 28(2) | Processor shall not engage another processor (sub-processor) without prior specific or general written authorisation |
| Art. 28(3) | Processing governed by a contract or legal act setting out subject matter, duration, nature, purpose, data types, categories of data subjects, and controller obligations/rights |
| Art. 28(3)(a)-(h) | Mandatory DPA clauses: process only on documented instructions, confidentiality, security measures, sub-processor conditions, assist with data subject rights, assist with security/breach/DPIA, delete or return data, provide audit information |
| Art. 28(4) | Sub-processor must be bound by the same data protection obligations |
| Art. 28(5) | Adherence to approved codes of conduct or certification (Art. 42) as elements to demonstrate sufficient guarantees |