research

GDPR Article 28 Processor Agreements: The SaaS Discovery Problem in M&A

When you acquire a company using Salesforce and HubSpot, you're the new data controller. Art. 28 processor agreements must be mapped and transferred. Here's the catch.

Luna ·
gdpr data-protection saas compliance m-and-a

When you acquire a company, you acquire its data. Not just its customer data or employee data — you acquire its status as a data controller under GDPR, with all the obligations that implies.

Article 28 of GDPR requires that when a controller uses a processor (any third-party service that processes personal data on its behalf), there must be a written Data Processing Agreement (DPA) in place. The controller is responsible for ensuring that DPA meets GDPR’s minimum standards — and for monitoring the processor’s compliance.

In M&A, the problem is that most companies don’t know how many DPAs they have, what those DPAs actually cover, or whether the processors are actually processing data in the way the DPA assumes.

The Discovery Problem: How Many SaaS Apps Does This Company Actually Use?

The average mid-size enterprise uses 140-200 SaaS applications. The IT department knows about maybe 40% of them. Finance knows about the ones that appear on a credit card statement or invoice. The legal team knows about the ones that went through a procurement review.

The rest are shadow IT.

ACQI’s SaaS discovery module finds all authenticated SaaS applications across the network — including ones that were never submitted to IT, never went through procurement, and never had a DPA signed. In the first scan of an acquired company’s environment, it’s common to find 30-40% of the actual SaaS footprint is uncatalogued.

The Article 28 Implications

Under Article 28, the following minimum elements must be in every DPA:

  • The processor shall process personal data only on documented instructions from the controller
  • The processor shall ensure that persons authorized to process the data have committed to confidentiality
  • The processor shall implement appropriate technical and organizational security measures (Article 32)
  • The processor shall not engage another processor without the controller’s prior specific or general written authorization
  • The processor shall assist the controller in ensuring compliance with GDPR obligations (Articles 32-36)
  • The processor shall delete or return all personal data at the end of the relationship
  • The processor shall make information available to enable the controller to meet its supervisory authority audit rights

Most standard SaaS DPAs cover these elements, with a caveat: they usually require the controller to notify the processor of any personal data breach within 72 hours. This is the same timeline as GDPR’s 72-hour supervisory authority notification requirement — so if a breach occurs, the controller needs to know which processors are involved and what their notification obligations are, simultaneously.

The M&A-Specific Article 28 Problem

When Company A acquires Company B, Company B’s data processing activities are now Company A’s responsibility. This means:

DPA Inventory Transfer: All of Company B’s Article 28 DPAs must be transferred to Company A’s legal/compliance team. This includes DPAs with cloud providers, HR systems, marketing automation platforms, financial systems, and any other processor that touches personal data.

New Controller Status: When a company is acquired, it doesn’t automatically become a separate data controller. The acquiring company becomes the data controller. The acquired company’s existing DPAs remain in effect — but now the acquiring company is the responsible party for ensuring those DPAs are compliant.

Cross-Border Data Transfer Issues: If the acquired company uses processors in the US or other third countries, and those processors are not covered by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, the data transfers are illegal post-Schrems II.

The SCC issue is particularly acute for SaaS applications. Many SaaS vendors — including Salesforce, Microsoft (for certain workloads), and Workday — have updated their DPAs to include SCCs post-Schrems II. Many have not.

Acquired Company as New Controller: If the acquired company processes data from EU individuals (employees, customers, suppliers) and the acquisition changes how that data is processed (new purposes, new systems, new sub-processors), the Article 28 basis for processing may need to be updated. The lawful basis for processing doesn’t automatically transfer to the new controller.

The Practical Due Diligence Checklist

DPA Inventory (per processor)

  • Is there a signed DPA for every SaaS and cloud application that processes personal data?
  • Does the DPA include the minimum Article 28 required elements?
  • Has the processor notified the controller of any sub-processors added since the DPA was signed?
  • Does the processor have appropriate SCCs or other transfer mechanism for any data transferred to third countries?

Data Processing Register (Article 30)

  • Does the acquired company maintain an Article 30 records of processing activities (ROPA)?
  • Does the ROPA cover all the processing activities discovered by ACQI’s SaaS scan?
  • Are the purposes and lawful bases documented for each processing activity?

Cross-Border Transfer Map

  • Map every country where personal data of EU individuals is processed or stored
  • Identify which of those countries have adequate data protection decisions from the EU Commission
  • For all other countries, verify SCCs or binding corporate rules are in place

Specific High-Risk Processors

  • HR systems (Workday, BambooHR, ADP) — processing employee personal data
  • Marketing platforms (Salesforce, HubSpot, Marketo) — processing customer/prospect personal data
  • Cloud data warehouses (Snowflake, Databricks, BigQuery) — processing data that may include personal data
  • Background check / identity verification providers — processing special category data

The Integration Cost Nobody Budgeted

A mid-size acquisition typically has 80-140 active SaaS applications. A legal/compliance review of all DPAs — to verify Article 28 compliance, identify missing agreements, and flag transfer mechanism gaps — takes a legal team 3-6 months. At typical outside counsel rates, this can cost $200K-400K.

This cost is almost never in the deal model. And it can’t be deferred — until it’s complete, the acquirer is operating with potential GDPR Article 28 violations that could result in supervisory authority fines of up to 2% of global annual revenue.

ACQI’s SaaS discovery report provides the technical foundation that allows the legal team to scope the DPA review to actual processors in use — rather than relying on the procurement list, which will miss 30-40% of the actual SaaS footprint.

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team