The DPIA Vendor Assessment Requirement
GDPR Article 35 requires Data Protection Impact Assessments for processing likely to result in high risk to individuals' rights and freedoms. Large-scale processing of personal data (Article 35(3)(b)) falls within this requirement. When an organization deploys an anonymization tool for large-scale PII processing, the DPIA must evaluate the tool as a data processor under GDPR Article 28.
Article 28 requires that data processors provide "sufficient guarantees to implement appropriate technical and organisational measures" and that processing be "governed by a contract or other legal act under Union or Member State law." A DPO completing a DPIA for an anonymization tool must document: the tool's security measures, its sub-processor relationships, its data residency, its data breach notification procedures, and the data processing agreement governing the relationship.
ISO 27001 certification significantly reduces the DPIA documentation burden: BSI research (2024) found that ISO 27001 certified organizations reduce security questionnaire time by 73%. Gartner found that Fortune 500 security procurement requires ISO 27001 in 78% of RFPs. When the anonymization tool is ISO 27001 certified, the DPIA can reference the certification rather than attempting to independently verify the tool's security controls.
The Article 28 Vendor Assessment Checklist
DPOs assessing an anonymization tool against GDPR Article 28 requirements should verify:
1. Data Processing Agreement: Is a GDPR-compliant DPA available? Does it cover all required Article 28 provisions: processing only on documented instructions, confidentiality obligations, security measures, sub-processor controls, data subject rights assistance, deletion or return upon contract end, and audit cooperation?
2. Security measures documentation: Are the technical and organizational security measures documented in a manner that satisfies Article 32? For ISO 27001 certified tools, the certification and Statement of Applicability provide this documentation.
3. Sub-processor transparency: Does the tool use sub-processors? Are they listed and accessible? Sub-processor changes require prior notification to the controller. Tools using multiple cloud infrastructure providers (for redundancy, CDN, etc.) must document each sub-processor.
4. Data residency: Where is personal data processed and stored? For EU-based DPOs, EU data residency or zero-knowledge architecture (no personal data transmitted to servers) is required. US-based tools require documented SCCs or BCRs.
5. Data breach notification: What are the tool's breach notification procedures? GDPR Article 33 requires notification to the supervisory authority within 72 hours. Article 28 requires processors to notify controllers "without undue delay" after becoming aware of a breach — which must be before the 72-hour clock.
6. DPIA availability: Has the tool provider completed their own DPIA? Is it available to enterprise customers for inclusion in the controller's DPIA? A tool provider that has not completed a DPIA for their own processing creates a documentation gap in the controller's DPIA.
7. Erasure and portability support: Can the tool fulfill Article 17 (erasure) and Article 20 (portability) obligations? For zero-knowledge tools where no personal data is stored, the erasure question may not arise — but the DPIA must document this.
The Austrian insurance company DPO completing a DPIA for their complaint anonymization process can request and receive: ISO 27001 certificate, EU hosting documentation, DPIA, and DPA from a compliant tool provider. These four documents provide complete Article 28 DPIA coverage. The supervisory authority audit finds the DPIA complete.
Sources: