Inadequate control over processors (Art. 28 GDPR) is one of the fastest-growing fine triggers in the EU. Since 2018, data protection authorities have imposed GDPR fines totalling more than €7.1 billion – and a rising share of them concerns inadequate vendor management. Kiteworks: GDPR Fines Hit €7.1 Billion (2026) The €45 million Vodafone fine in June 2025 – €15 million of it explicitly for inadequate processor oversight – makes the point: regulators no longer just check whether a data processing agreement (DPA) exists. They check whether you actually monitor your service providers on an ongoing basis.
Heuking: €45M GDPR Fine Against VodafoneArt. 28 GDPR: What the law actually requires
Article 28 GDPR defines the controller's obligations when engaging processors. The requirements go far beyond simply signing a contract: DSGVO-Gesetz.de: Art. 28 – Processors
- Careful selection: Engage only processors that provide sufficient guarantees of appropriate technical and organisational measures (TOMs)
- Contractual commitment: A written DPA containing all mandatory content under Art. 28(3) – subject matter, duration, nature and purpose of the processing, categories of data subjects and categories of personal data
- Bound by instructions: Processing only on the documented instructions of the controller
- Confidentiality: All persons authorised to process the data must be bound to confidentiality
- Sub-processor control: No use of sub-processors without prior written authorisation (specific, or general with a right to object)
- Deletion obligation: After the end of the processing, delete or return all personal data
- Audit rights: Make available to the controller all information, audits and inspections required
Why vendor audits are the fastest-growing fine trigger
The CMS GDPR Enforcement Tracker Report 2025 shows that fine amounts are rising significantly – four fines above €1 million in the 2025 reporting period, compared with just two the year before. CMS: GDPR Enforcement Tracker Report 2025 Three trends are driving this:
1. Regulators examine the entire chain It is not just the direct DPA that is examined, but the complete sub-processor chain. The NIS2 Directive tightens this requirement further through a supply-chain risk assessment obligation. A missing sub-processor contract can trigger the fine for the controller – even where the direct processor is acting correctly. Dr. Datenschutz: Processing on Behalf and Subcontractors
2. Ongoing duty to monitor Courts confirm that Art. 28 GDPR establishes an ongoing monitoring obligation – not just a one-off check at the point of signing. The GDPR sets no fixed interval; the frequency is risk-based, depending on the nature and scope of the processing. In practice, checks roughly every 12 to 18 months are regarded as appropriate, and correspondingly more often for high-risk processing. bITs: Controllers' Monitoring Duties in Processing on Behalf
3. Controllers are liable for processor mistakes – but only within their instructions In its judgment of 5 December 2023 (Case C-683/21), the Court of Justice of the EU confirmed that controllers can be fined for unlawful processing by their processors – but only where the processing took place within their instructions and they themselves acted intentionally or negligently. Where the processor acts on its own initiative, contrary to instructions and for its own purposes, the controller is not liable. CJEU: Judgment of 5 Dec 2023, Case C-683/21
Real-world fine cases: processor failures
The most recent enforcement actions reveal the pattern:
- Vodafone (DE), June 2025 – €45M: €15M for years of inadequate oversight of partner agencies acting as processors; €30M for security shortcomings in authentication The Record: Germany Fines Vodafone $51 Million
- Advanced Computer Software (UK), 2025 – £3.07M: The ICO's first fine against a processor itself under the UK GDPR (issued on 27 March 2025) – for inadequate technical and organisational measures (including a lack of multi-factor authentication and poor patch management) that enabled a ransomware attack affecting 79,404 people ICO: Advanced Computer Software Group Limited
- Clearview AI (NL), 2024 – €30.5M: The Dutch DPA is additionally investigating the personal liability of the company's directors for the GDPR breaches Data Privacy Manager: Biggest GDPR Fines
The US processor problem: CLOUD Act meets GDPR
A particular risk arises when SaaS platforms use US-based processors. The US CLOUD Act compels US companies to hand over data to US authorities – regardless of where the data is stored. This is in direct conflict with the GDPR: Exoscale: CLOUD Act vs. GDPR – The Conflict Explained
- Art. 48 GDPR stipulates that court rulings from third countries are valid only on the basis of international agreements (MLATs) – the CLOUD Act bypasses these mechanisms
- The EDPB has made clear that service providers subject to EU law cannot base data transfers to US authorities on CLOUD Act requests alone
- Standard contractual clauses (SCCs) and "EU Sovereign Cloud" labels do not eliminate this exposure – the CLOUD Act follows corporate control, not the location of the data
| Kriterium | US-based processor | EU-based processor |
|---|---|---|
| CLOUD Act exposure | Yes – obligation to disclose to US authorities | No – only EU law applies |
| Art. 48 GDPR conflict | Irresolvable legal conflict | No conflict |
| Schrems III risk | DPF could be struck down at any time | No dependence on the DPF |
| Sub-processor chain | Often opaque, US subsidiaries | EU chain can be documented |
| DPA compliance | Deletion duty vs. US retention duty | Full GDPR compliance achievable |
| Auditability | On-site audits practically impossible | On-site audits feasible |
Vibe-coded platforms: the blind spot in vendor management
AI-generated platforms have a systemic problem with processor compliance: vibe coding tools wire in third-party services without considering the GDPR implications: Scrut: GDPR Fines & Penalties Guide
- Analytics trackers (Google Analytics, Hotjar, Mixpanel) – US processors, often without a DPA
- Auth providers (Auth0, Firebase Auth, Clerk) – personal data flows to US services
- Payment gateways (Stripe, PayPal) – financial data held by US companies
- CDN/hosting (Cloudflare, Vercel, AWS) – data processing under US jurisdiction
- AI APIs (OpenAI, Anthropic) – user data fed as input into US-based AI models
- Error tracking (Sentry, Bugsnag) – stack traces containing personal data sent to US servers
A typical vibe-coded MVP integrates 8 to 15 third-party vendors – and for most of them there is neither a vetted DPA nor a documented legal basis for the data transfer. MakerKit: The SaaS Stack 2026
Practical checklist: processor management for SaaS
Structured vendor management under Art. 28 GDPR covers: RDV: Selecting and Vetting the Processor
Before signing:
- Review of the processor's TOMs (Art. 32 GDPR)
- Assessment of jurisdiction (EU vs. third country)
- DPA containing all mandatory content under Art. 28(3)
- Documentation of the selection decision
Ongoing oversight:
- Regular audit (risk-based) – more frequent for high-risk processing
- Review of sub-processor changes (exercising the right to object)
- Keeping the record of processing activities current (Art. 30 GDPR)
- Monitoring the implementation of TOMs
At end of contract:
- Obtain confirmation of data deletion or return
- Document proof of deletion
- Include sub-processors
How AnvilStack ensures GDPR-compliant vendor management
We use AI tools for rapid development – but every third-party vendor is checked for GDPR compliance before integration:
- Vendor assessment before integration: Every third-party vendor is checked for jurisdiction, TOMs, sub-processor chain and DPA quality – before a single line of code is written
- EU-first stack: PostgreSQL (self-hosted), Hetzner (DE), EU-based services – no US-processor dependencies in the core infrastructure
- Complete record of processing activities: Art. 30-compliant documentation of all data flows, updated automatically when the architecture changes
- Sub-processor monitoring: Automated alerts when the sub-processors of the services in use change
- CLOUD Act-free: Exclusive Hetzner hosting (Germany) and an EU-based toolchain remove the risk of US data-disclosure obligations. Our security hardening service implements the technical safeguards required under Art. 32 GDPR
- Audit documentation: All vendor decisions documented and ready to present at any time for regulatory reviews
In a free initial consultation, we assess your SaaS platform for GDPR-compliant processor integration – from the sub-processor chain to CLOUD Act exposure. For a fixed price of €36,000, we then migrate and harden your platform on EU-sovereign infrastructure.
Frequently asked questions
What is a processor under the GDPR?
What penalties apply for inadequate vendor management?
How often must I audit my processors?
Why are US-based processors a problem?
Am I liable for my processors' mistakes?
How many third-party vendors does a typical vibe-coded MVP have?
Sources
- DSGVO-Gesetz.de: Art. 28 – Processors
- DSK: Short Paper No. 13 – Processing on Behalf
- Kiteworks: GDPR Fines Hit €7.1 Billion (2026)
- CMS: GDPR Enforcement Tracker Report 2025
- Heuking: €45M GDPR Fine Against Vodafone
- The Record: Germany Fines Vodafone $51 Million
- ICO: Advanced Computer Software Group Limited
- CJEU: Judgment of 5 Dec 2023, Case C-683/21
- Exoscale: CLOUD Act vs. GDPR
- Kiteworks: CLOUD Act & European Data Protection
- bITs: Controllers' Monitoring Duties in Processing on Behalf
- Dr. Datenschutz: Processing on Behalf and Subcontractors
- RDV: Selecting and Vetting the Processor
- BayLfD: Guidance on Processing on Behalf
- Scrut: GDPR Fines & Penalties Guide
- MakerKit: The SaaS Stack 2026
- Data Privacy Manager: Biggest GDPR Fines