VeritasVault
Compliance · EU

Article 28 GDPR and the shape of a processor

What a processor agreement is required to contain says a lot about what a processor is.

29 Apr MMXXVI · 8 min read

Article 28 of the GDPR does something quietly structural: it tells you what a data processing agreement must contain, and in doing so it describes the shape of a processor. Subject matter and duration. Nature and purpose. Categories of data and of subjects. The controller's documented instructions. Confidentiality, security, sub-processing, assistance, deletion, and audit. The list is a portrait.

Reading a processor agreement well means reading it against that portrait and noticing what is thin. A deletion obligation that is vague about timing. A sub-processor clause that grants general authorisation without a mechanism to object. An audit right that exists on paper but is hedged into irrelevance. Each gap is a place where the contract falls short of the shape the regulation expects.

The interesting cases are the ones where the agreement is technically complete but practically hollow — every required element present, each one drafted to do as little as possible. Compliance as a checklist is easy to pass and easy to see through. The question is not whether the clause exists but whether it would do anything.

A platform that processes documents in memory and retains nothing sits comfortably against several of these requirements by construction rather than by clause — deletion is not a promise to schedule when there is nothing to delete. This is a thematic note on how to read such agreements, not legal advice on any specific arrangement.

← Previous noteNext note →

See the reading, not the summary.

Submit a document and receive a clause-by-clause analysis with verified citations — in minutes.

View plans