pia-vendor-processing

Installation
SKILL.md

Privacy Impact Assessment for Vendor Processing

Overview

When a controller engages a processor (vendor) to process personal data on its behalf, GDPR Article 28 imposes specific obligations on the controller to ensure that the processor provides sufficient guarantees to implement appropriate technical and organisational measures. The EDPB has repeatedly emphasized that the controller remains accountable for the processing regardless of delegation to a vendor. This skill provides a structured PIA methodology for assessing and managing the privacy risks of vendor data processing arrangements.

Regulatory Framework

GDPR Article 28 — Processor Obligations

Requirement Description
Art. 28(1) Controller shall use only processors providing sufficient guarantees
Art. 28(2) Processor shall not engage another processor (sub-processor) without prior specific or general written authorisation
Art. 28(3) Processing governed by a contract or legal act setting out subject matter, duration, nature, purpose, data types, categories of data subjects, and controller obligations/rights
Art. 28(3)(a)-(h) Mandatory DPA clauses: process only on documented instructions, confidentiality, security measures, sub-processor conditions, assist with data subject rights, assist with security/breach/DPIA, delete or return data, provide audit information
Art. 28(4) Sub-processor must be bound by the same data protection obligations
Art. 28(5) Adherence to approved codes of conduct or certification (Art. 42) as elements to demonstrate sufficient guarantees
Installs
11
GitHub Stars
187
First Seen
May 12, 2026
pia-vendor-processing — mukul975/privacy-data-protection-skills