Beyond Legal #24: The procurement manager who finally met his match
She was the first Data Protection Leader who actually read the DPA thoroughly before I did. — Jonas P., Procurement Manager
Some companies treat the data processing agreement as something that gets attached to a contract rather than something that does real work. Jonas had been in procurement long enough to know that. He had sent hundreds of them. He had never expected anyone in a data protection role to care about what was actually in them from an actual data processing perspective, and at a data flow level.
Jonas’s story #
Jonas is a senior procurement manager at a pan-European manufacturing company. His job is to get contracts signed — efficiently, defensibly, and without unnecessary friction. He understands commercial risk, supplier leverage, and the difference between a clause that matters and one that is there to satisfy a checklist.
Data processing agreements — the agreements required under Article 28 of the GDPR when a controller engages an organisation to process personal data on its behalf — had, in his experience, become a compliance ritual. Legal would send a template. The supplier’s legal team would push back on three clauses. They would settle somewhere in the middle. The agreement would go into the contract management system and nobody would look at it again.
Then he started working with the Data Protection Leader — call her Selin — on a procurement project involving a new HR software platform that would handle personal data for several thousand employees across six EU member states.
Selin had read the draft data processing agreement before the first supplier meeting. Not skimmed it — read it. She came to that meeting with specific questions: which sub-processors would have access to personal data, whether the agreement’s erasure timelines were technically enforceable given the vendor’s architecture, and whether the audit rights clause was actually exercisable or drafted to be practically useless. She had actually sketched out the data flows related to the processing activities across the data lifecycle to support her questions.
Jonas had not been asked those questions by anyone in a data protection role before, and the data flow diagram was new to him.
What happened when procurement and data protection worked together #
The conversation changed the atmosphere of the negotiation. Selin’s questions exposed two problems that Jonas would not otherwise have caught: the vendor’s standard sub-processor list was out of date and included an entity in a country without an adequacy decision, and the data erasure clause committed to erasure “within a reasonable timeframe” — a phrase with no legal weight under the GDPR’s requirements for data processing agreements.
Both were fixed before signature. The sub-processor list was updated, a transfer impact assessment was completed for the relevant entity, and the erasure clause was rewritten with a specific timeframe tied to the end of the contract.
When the audit cycle came around twelve months later, the company had a data processing agreement that could actually be used as evidence of compliance. Jonas escalated Selin’s involvement to the CPO. Both Selin and Jonas were eventually promoted into a jointly accountable third-party risk governance function.
What enforcement looks like when data processing agreements fail #
Two recent cases show exactly how this plays out when the governance around data processing agreements is treated as a formality rather than a substance.
In March 2025, the UK Information Commissioner’s Office fined Advanced Computer Software Group £3.07 million — the first fine ever imposed by the ICO directly against a processor rather than a controller. Advanced provided IT and software services to NHS organisations and suffered a ransomware attack in 2022, after hackers accessed its systems through a customer account that had no multi-factor authentication in place. The personal data of 79,404 people was exfiltrated, including sensitive health information and the home access details (e.g. key-safe codes/entry information) of 890 individuals receiving care at home. The ICO’s finding focused not on the breach itself but on what lay behind it: gaps in the deployment of basic security measures, insufficient vulnerability scanning, and inadequate patch management. The fine was the ICO’s signal that processors have direct, independently enforceable obligations — and that a controller’s own compliance does not reduce the processor’s liability. It should be noted that the ICO’s original proposed penalty was £6.09 million in August 2024, and was reduced via voluntary settlement reflecting Advanced’s cooperation with NCSC, NCA, and NHS.
In December 2025, the CNIL — France’s supervisory authority — fined Mobius Solutions, an Israeli/UK CRM/marketing technology company that had been a sub-processor to music streaming platform Deezer, €1 million. The breaches included retaining the personal data of over 46 million Deezer users after the contractual relationship ended — a direct violation of the erasure obligations that Article 28(3)(g) requires data processing agreements to contain — and using that data to improve its own services, outside any instructions from Deezer. The CNIL rejected the argument that the data had been copied by employees without management’s knowledge: the data was stored in a company-owned environment, and responsibility sat with the company. The case is a good case of what happens when an erasure clause is either absent from the agreement or present but not operationally enforced.
Both cases share the same underlying failure: data processing agreements that were either inadequate on their face or not treated as working governance documents. Neither organisation appears to have had someone in the room asking the questions Selin asked before signature.
What Article 28 actually requires from a data processing agreement #
A data processing agreement under Article 28 of the GDPR is not a formality — it is a binding legal instrument that must specify the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. It must also address sub-processor arrangements: a processor cannot engage a sub-processor without prior specific or general written authorisation from the controller, and where general authorisation is given, the processor must inform the controller of any changes. Erasure obligations must be specific and enforceable, not aspirational. Audit rights must be real, not drafted to be practically unusable. Controllers who treat Article 28 agreements as standard contract annexes — rather than substantive governance documents — have no reliable basis on which to demonstrate accountability under Article 5(2), and as both cases above confirm, no protection from regulatory action when things go wrong downstream.
For more on how processor relationships connect to the broader programme, see Beyond Legal #22 on mapping data flows, and Beyond Legal #23 on what happens when vendor selection skips the governance step.
Article references: Article 5(2) (accountability), Article 28 (processor obligations), Article 28(3)(g) (erasure at end of contract), Article 29 (processing under controller’s authority), Article 30 (records of processing activities), Article 46 (transfers subject to appropriate safeguards).
Series: This is post 24 in the Beyond Legal series — 20 roles, 20 days, real consequences. The story about Selin and Jonas is ficticious, the ICO and CNIL cases are real.
Purpose and Means works with organisations on data protection strategy, governance, and compliance — going beyond the legal text to focus on how things actually get done. If you’d like to discuss what this means for your organisation, book a call or explore our services.
