← All questionnaires
GDPR ARTICLE 28 + EDPB · 22 QUESTIONS · FREE TEMPLATE

GDPR Article 28 Processor Due Diligence — 25 questions every EU controller asks

Article 28(1) of GDPR requires controllers to use only processors that provide 'sufficient guarantees' of compliance. This questionnaire is the standard evidence pack EU privacy teams send before signing a DPA.

Total questions
22
Categories
7
Typical timeline
5–10 business days
Effort
8–16 hours
Who requests it
  • EU/UK controllers' DPOs and privacy counsel
  • Procurement teams in regulated EU industries (banking, insurance, health, telecom)
  • DPIA teams for high-risk processing onboarding
Who fills it out
  • Your DPO or privacy lead, with security + engineering input
  • Counsel typically signs the DPA itself

The questionnaire — every question, inline

1. Lawful Basis & Roles

3 questions
Establishing the processor relationship.
  1. 1.1
    Confirm role as processor (not controller) for the personal data in scope. Provide a clear list of processing activities.
    Critical
  2. 1.2
    Provide your standard DPA (Article 28(3) compliant), including SCC modules where applicable.
    Critical
  3. 1.3
    Do you act as a joint controller for any data category? Disclose with reasoning.
    High

2. Technical and Organisational Measures (TOMs)

5 questions
Article 32 security controls.
  1. 2.1
    Provide your written TOMs schedule (Article 32) covering encryption, pseudonymisation, confidentiality, integrity, availability, and resilience.
    Critical
  2. 2.2
    Encryption — at rest and in transit specifications. Key management residency?
    Critical
  3. 2.3
    Access controls — least privilege, MFA, periodic access reviews. Evidence of last review.
    High
  4. 2.4
    Logging and monitoring of access to personal data. Retention period for logs.
    High
  5. 2.5
    Pen testing and vulnerability management cadence. Most recent executive summary available?
    High

3. Sub-processors (Article 28(2)+(4))

3 questions
Authorisation and chain of obligations.
  1. 3.1
    Public sub-processor list URL (Article 28(2)) including name, function, country, and data categories accessed.
    Critical
  2. 3.2
    Notification period before adding or replacing a sub-processor? Right to object mechanism?
    High
  3. 3.3
    Confirm flow-down of Article 28(3) obligations to every sub-processor via written contract.
    Critical

4. Cross-Border Transfers (Chapter V)

3 questions
Adequacy, SCCs, derogations.
  1. 4.1
    Which countries outside the EEA receive personal data? List all transfer mechanisms in use (SCCs 2021, UK IDTA, adequacy, BCRs).
    Critical
  2. 4.2
    Have you completed a Transfer Impact Assessment (TIA) following Schrems II and EDPB Recommendations 01/2020? Provide the executive summary.
    Critical
  3. 4.3
    Which supplementary measures are in place where the destination country lacks adequacy?
    High

5. Data Subject Rights (Articles 12–22)

3 questions
Assistance to the controller.
  1. 5.1
    Describe how you assist the controller with access, rectification, erasure, restriction, portability, and objection requests. Maximum SLA?
    Critical
  2. 5.2
    Are deletions of personal data propagated to backups and analytics stores? Maximum deletion window?
    High
  3. 5.3
    Self-service controller console for DSR fulfillment available?
    Medium

6. Breach Notification (Article 33)

2 questions
Processor's obligation to notify the controller.
  1. 6.1
    Commit to written breach-notification SLA — Article 33(2) requires 'without undue delay'; most controllers negotiate 24–48 hours.
    Critical
  2. 6.2
    Information you will include in the breach notification — categories of data, approximate number of affected subjects, likely consequences, measures taken.
    High

7. Records, Audit & Termination

3 questions
Articles 28(3)(h), 30, 28(3)(g).
  1. 7.1
    Audit rights — describe how customers can audit your processing (annual third-party audit, customer site visit, pooled audit). Cost allocation?
    High
  2. 7.2
    Do you maintain Records of Processing Activities (Article 30) for processor-as-processor activities? Provide a sample.
    High
  3. 7.3
    On contract termination, confirm options to delete or return personal data. Maximum deletion-confirmation SLA?
    Critical
Email me a clean copy of this questionnaire
Polished HTML — paste into Word, Sheets, or a Notion page. We'll send one delivery email plus one invitation to build an auto-answered version from your audit. No drip spam.
We'll send the questionnaire + one audit-invitation follow-up. Unsubscribe anytime.

Common pitfalls

Want this pre-filled with YOUR controls?

Run a free GDPR / EDPB Guidelines audit. ComplianceIQ uses your audit responses and generated policies to populate an answer pack you can paste into any SIG, CAIQ, or custom enterprise questionnaire — in minutes, not days.

Run free GDPR audit See answer-pack plans

FAQ

What's the difference between a DPA and this questionnaire?
The DPA is the contract (Article 28(3)). The questionnaire is the due-diligence evidence that supports the controller's choice to sign the DPA with you (Article 28(1)).
How does the EU AI Act change this?
If you process personal data using AI, controllers will additionally ask about model training data, automated decision-making (Art. 22), and AI Act risk classification. Disclose all AI processing in your DPA addendum.
Is a Transfer Impact Assessment (TIA) really mandatory?
For transfers to non-adequate countries (including the US for non-DPF participants), effectively yes. EDPB Recommendations 01/2020 set the framework. Have one ready.
What about GDPR fines for not having these answers?
Article 28 non-compliance falls in the lower tier — up to €10M or 2% of global turnover. But the cascading risk (breach + no DPA + no TOMs) lands you in the higher tier — €20M or 4%. Meta paid €1.2B.

Related free policy templates

GDPR Data Processing Agreement (DPA)CCPA / CPRA Privacy Notice

What happens when these answers are wrong

Meta Platforms
€1.2B
Largest GDPR fine ever — EU→US data transfers under invalidated Privacy Shield framework
Amazon Europe Core
€746M
Largest GDPR fine at the time — behavioural ad targeting without valid consent

More questionnaires

SaaS VendorCloud ProviderHIPAA BA AssessmentSOC 2 SubservicePCI DSS SP