Vendor Oversight and Legal Characterisation

Back to News & Insights

Philipa Jane Farley, Head of Legal and Operations

This article accompanies Hour 4: Vendor Management Oversight in our full-day CPD programme on XpertAcademy. Completion of the full one-hour session, including the related learning materials, contributes to the one-hour CPD certificate issued for that session. You can access the course here: CPD Event A: Full-Day Regulatory Privacy Training.

Vendor oversight often weakens before monitoring even begins

Vendor management is often framed too narrowly. The organisation onboards a supplier, legal reviews the paperwork, a data processing agreement is requested, and privacy is then asked whether the vendor is “covered”. That sequence is familiar. It is also where a great deal of weak practice begins.

The first privacy question in a vendor relationship is not whether a DPA is in place. It is whether the organisation has correctly understood what role the other party is actually performing in relation to the personal data. If that point is missed, the rest of the oversight model is built on the wrong foundation. The wrong agreement may be used, wrong risks may be reported, or the wrong controls may be prioritised. In some cases, the organisation may believe it has documented accountability when it has only described part of the relationship.

Vendor oversight often weakens at the point where the organisation chooses the wrong legal model for the relationship and then builds its controls around that error.

This is one of the reasons vendor management repeatedly becomes a source of exposure. Organisations often move too quickly from “supplier involved” to “processor appointed”. That may be right in some cases. In others, it is incomplete or simply wrong.

A supplier may be a processor for some elements of the service and an independent controller for others. In some relationships, the other party is not a processor at all. In others again, the arrangement may involve elements of joint controllership that are not being recognised because the parties prefer the apparent neatness of processor language.

That is why this topic matters for the DPO or privacy manager. Vendor oversight is not just about monitoring suppliers after onboarding. It starts with legal and factual accuracy. If the relationship is characterised too loosely at the outset, the organisation’s privacy position is likely to remain weaker than it appears throughout the life of the arrangement.

The classification question comes before the agreement question

Privacy review is often reduced to paperwork. The contract arrives, a DPA is attached, and the organisation asks whether the necessary clauses are present. That is a normal operational step, but it is not the point at which the analysis should begin.

The more important question is what the facts of the arrangement actually show. Who is deciding why the personal data is being used? Who is deciding the essential means of the processing? Is the supplier acting only on the organisation’s instructions, or is it using the data for its own purposes as well? Does the answer differ depending on the data flow, the service element or the stage of the relationship?

These are not drafting niceties. They determine the legal model that should apply. A processor is not created by labelling the supplier a processor. A controller-to-controller relationship is not avoided by putting Article 28 wording into a contract. Joint controllership is not displaced simply because the parties would prefer one side to take a more passive label. The factual reality of the processing remains the starting point.

That matters because privacy obligations attach differently depending on the role actually being performed. If the organisation applies a processor framework where the other party is determining its own purposes, the contract may give a false impression of control. If the relationship is treated as controller-to-controller where the organisation is in fact instructing the other party in a more constrained way, the oversight model may be looser than it should be. If the relationship contains mixed elements, but only one side of the picture is documented, the organisation may be carrying accountability gaps that do not become obvious until the relationship is tested.

The privacy risk in many vendor arrangements begins before any monitoring issue arises. It begins when the relationship is documented on a legal basis that does not match the facts.

For the DPO or privacy manager, this is one of the most useful ways to reframe vendor review. The immediate task is not to decide whether the paperwork is present. It is to decide whether the legal characterisation is sound enough to support everything that follows.

Where the supplier really is a processor

There will, of course, be many cases where the supplier is acting as a processor. If the organisation determines the purposes of the processing, defines the essential features of what is to be done with the data, and the supplier is carrying out that processing on documented instructions, then the processor framework is likely to be the correct one.

Where that is the case, the familiar GDPR consequences follow. Article 28 becomes central. Appropriate contractual provisions are required. Due diligence matters. Oversight matters. The controller remains accountable for the processing carried out on its behalf. None of that is in doubt. What is often misunderstood is what the processor model does and does not achieve in practice.

A processor agreement is not a substitute for understanding the service. It does not eliminate the need to assess what the processor is actually doing, how sub-processing is structured, how changes to the service are managed, whether monitoring is meaningful, or whether the organisation’s theoretical rights are usable in practice. An Article 28 framework only supports accountability if the organisation is able to retain some practical grip on the relationship over time.

Weak processor oversight is not usually just a drafting failure. It is often a failure to revisit whether the organisation still understands the relationship as it has developed. A processor approved for a bounded purpose may, over time, handle larger volumes of data, support more business functions, rely on a wider sub-processing chain or become much harder to challenge commercially than at the point of onboarding.

A processor arrangement is only as strong as the organisation’s ability to understand the service, monitor material change and respond where the practical level of control weakens over time.

This is where the DPO or privacy manager needs to be more exact than a basic contract review allows. The issue is not simply whether the processor clauses are there. It is whether the processor model still fits the service as used, and whether the organisation’s oversight is operating at the level the risk now requires.

Not every vendor relationship is a processor relationship

One of the most persistent oversimplifications in vendor management is the assumption that any supplier handling personal data is acting as a processor. That is often operationally convenient, but it can be legally and practically misleading.

Some third parties use personal data for their own purposes and within their own regulatory or commercial frameworks. In those relationships, they are not simply carrying out another organisation’s instructions. They may be receiving data from the organisation, but that does not make them its processor.

That point is easy to lose in practice because controller-to-controller relationships are often less tidy from a governance point of view. They force the organisation to confront the fact that the other party has its own purposes, its own lawful basis position, its own transparency obligations and, in many cases, its own onward disclosure model. The organisation does not retain the same type of instruction-based control that exists in a processor relationship.

Examples vary by context, but the pattern is familiar. A professional adviser may receive personal data and use it within its own regulated professional role. An insurer, benefits provider, fraud prevention service, credit agency, external platform provider or specialist analytics provider may determine certain purposes of use for itself. Some software providers may act as a processor for the hosted client environment while separately using certain data for product security, abuse detection, fraud control or service improvement on their own account.

In those cases, a DPA alone is not enough. In some cases, it is not the right primary instrument at all.

A more appropriate arrangement may require controller-to-controller provisions or a data sharing agreement that properly addresses the legal and governance consequences of disclosure to another controller. That means looking more carefully at the purpose of the sharing, the lawful basis relied upon, transparency to data subjects, onward transfers, retention boundaries, rights handling, security expectations and any restrictions or conditions the organisation wants to attach to the sharing.

Where the other party is determining its own purposes, the issue is no longer processor oversight alone. It becomes a question of whether the organisation has a defensible controller-to-controller sharing model.

That is a materially different type of privacy analysis. The DPO or privacy manager should not be satisfied simply because “privacy terms” exist somewhere in the contract. The key question is whether the organisation has recognised that the relationship is not one of delegated processing only, and whether the right agreement structure has been used as a result.

Why data sharing agreements matter in controller-to-controller scenarios

Data sharing agreements are sometimes treated as secondary documents compared with DPAs. In practice, where personal data is disclosed to another controller, a well-structured data sharing agreement can be at least as important from a governance perspective.

That is because the legal and accountability issues are different. The organisation is no longer only asking how to bind a supplier to instructions. It is asking on what basis the data is being shared, what each party is entitled to do with it, what constraints or expectations apply to onward use, how transparency is addressed, how retention is framed, how rights requests are handled where responsibilities overlap, and what happens if the legal position around the sharing changes.

This is especially important where the relationship is significant but not neatly reducible to a pure service provider model. Without a good controller-to-controller framework, organisations can end up assuming that the existence of a commercial contract means the privacy position is adequately covered. It often is not.

A well-structured data sharing agreement does not make accountability disappear, but it does force the parties to confront the right questions. What is being shared, why, under what legal basis, with what expectations around use, and with what allocation of responsibility? Those are exactly the questions that tend to go underexplored when the relationship is hastily labelled as a processor arrangement.

For the DPO or privacy manager, this is often where advisory value is clearest. The privacy function should be able to explain not just that a DPA is the wrong tool in a particular case, but why the relationship requires a more accurate controller-to-controller analysis and what practical consequences follow from that reclassification.

Hybrid relationships are often the real trap

Some of the hardest vendor arrangements are not purely processor or purely controller relationships. They are mixed. That is often where privacy oversight becomes both more difficult and more important.

A SaaS provider may act as a processor in relation to customer data hosted in the service, while separately acting as a controller for certain telemetry, fraud prevention, service security or product improvement functions. A benefits or HR platform may process employee data on the organisation’s instructions for certain service elements while separately determining aspects of use for its own legal, product or operational purposes. An external specialist may process personal data under instruction for one strand of a project while independently determining how related information is used for another.

These mixed models create a practical temptation. The organisation may want to pick one label for the relationship as a whole and move on. That is understandable. It is also often the source of poor documentation and weak oversight.

A hybrid relationship needs to be analysed by reference to the relevant data flows and purposes. One part of the arrangement may require an Article 28 processor framework. Another may require controller-to-controller data sharing provisions. In some cases, there may need to be a combination of both within the same broader contractual package, supported by clear internal mapping of which activities fall into which category.

Some of the weakest vendor arrangements are not wrongly documented because nobody cared. They are wrongly documented because the relationship was more complex than the organisation was willing to analyse properly.

This is a particularly important point for the DPO or privacy manager because hybrid arrangements often create false confidence. The organisation may believe the relationship is “covered” because a DPA is in place, while significant parts of the vendor’s role sit outside that processor model altogether. Unless the mixed nature of the arrangement is explicitly recognised, the oversight model is likely to remain partial and reporting to management may understate the real legal and governance complexity.

Joint controllership is different again

Joint controllership creates a different type of issue, and it is often under-identified for the same reason hybrid arrangements are under-analysed: the processor model is usually seen as more straightforward and more comfortable from a governance perspective.

But joint controllership cannot be wished away through preference. If two parties are jointly determining the purposes and means of the processing, then the organisation needs to recognise that reality and deal with it properly.

This is not the same as saying that both parties are merely involved in the same broad environment. Joint controllership is not established simply because two organisations are both present or both interested. The question is whether they are together shaping the relevant processing in a sufficiently real way that responsibilities need to be allocated accordingly.

That can arise in partnerships, co-branded initiatives, consortium arrangements, shared programmes, data-enabled campaigns, platform relationships or service designs where both sides materially shape why and how the processing occurs. In those cases, the organisation should not be looking only for processor language. It should be asking whether an Article 26-style joint controller arrangement is needed and whether the essentials of that arrangement are reflected in practice.

That matters because joint controllership affects how responsibilities are allocated, how transparency is addressed and how the organisation explains the relationship to data subjects and to regulators if challenged.

Joint controllership often becomes visible only when the organisation stops asking who is receiving the data and starts asking who is shaping the purpose of the processing.

For a DPO or privacy manager, this is another area where advisory value lies in resisting oversimplification. The relationship may be commercially described as a vendor arrangement, but that does not answer the privacy question. If the other party is participating in the determination of purpose and means, processor language may obscure more than it clarifies.

Why misclassification matters so much in practice

It is easy to make this sound theoretical. It is not. The reason classification matters is that the legal model chosen at the outset shapes everything that follows: what agreement is used, what due diligence is prioritised, what monitoring takes place, what transparency position is taken, what rights-handling assumptions are made, how incidents are escalated, what is reported to management, and what the organisation thinks it can defend if the relationship is later scrutinised.

If a third-party controller is treated as if it were a processor, the organisation may believe it has more control than it does. If a hybrid relationship is reduced to a single processor model, important elements of onward use or independent purpose-setting may go undocumented. If a joint controller scenario is treated as a routine vendor arrangement, accountability may be allocated in a way that bears little resemblance to how the processing is actually designed and operated.

This is one of the reasons vendor oversight often looks stronger than it is. The organisation may genuinely have a contract, a review process and some monitoring in place. But if the underlying legal model is wrong, those controls are operating against the wrong understanding of the relationship.

A vendor arrangement cannot be treated as well governed simply because it is documented. The first question is whether it has been documented on the right legal basis at all.

That is a point worth taking seriously in management and board reporting, because it shifts the conversation from process completion to legal and governance accuracy.

The DPO’s role is to explain what the relationship means, not just what document is missing

A common failure mode for privacy teams is that they identify an issue but report it in a way that is too generic to support good decisions. Saying that a vendor arrangement needs a DPA, or that the supplier should be reviewed, may be technically correct but not especially useful if the deeper issue is misclassification, increasing dependency or structural limits in oversight.

The privacy function adds most value where it can explain what type of relationship exists and why that changes the organisation’s accountability position. That means being able to distinguish clearly between a processor oversight issue, a controller-to-controller sharing issue, a joint controller issue or a mixed model that needs to be mapped and governed in parts.

That distinction matters because the governance consequences are different. A processor relationship calls for strong instruction-based oversight, monitoring, sub-processor scrutiny and change control. A controller-to-controller arrangement raises different questions around lawful basis, transparency, onward use, retention, rights handling and defensibility of sharing. A joint controllership issue raises questions about allocation of responsibility and how the organisation will explain the arrangement if challenged. A hybrid model requires the organisation to recognise that different legal and operational treatments may apply within the same broader commercial arrangement.

The privacy function adds most value where it does not report “vendor risk” as a single category, but explains what type of data relationship exists and why that changes the organisation’s accountability position.

That is where privacy advice starts to influence decisions rather than simply annotate contracts.

Feeding the issue into the organisation requires different reporting depending on the model

Once the relationship has been characterised properly, the DPO or privacy manager then needs to decide how to feed the issue into the organisation.

This is where a lot of privacy reporting becomes too compressed. Vendor arrangements are grouped together as “third-party risk” or “processor risk” even where the underlying problems are materially different. That reduces the usefulness of the reporting and can make it harder for senior management to understand what decisions or mitigations are actually needed.

A processor issue may need to be reported as a matter of oversight strength, weak auditability, poor change control, insufficient monitoring or material reliance on sub-processors. A controller-to-controller relationship may need to be reported as a question of sharing rationale, transparency exposure, legal defensibility or unclear accountability boundaries. A hybrid relationship may need to be escalated because the organisation has only partially documented the legal structure of the arrangement. A joint controllership issue may need to be framed around allocation gaps, data subject handling responsibilities or strategic governance consequences.

That is where the DPO’s analytical role becomes a governance role. The issue is no longer simply whether a privacy concern exists. The issue is whether the organisation is receiving an accurate description of the type of exposure it has taken on.

A processor issue, a data sharing issue and a joint controllership issue should not appear in governance reporting as if they were the same type of problem. They expose the organisation in different ways and require different responses.

This is especially important where the organisation wants concise reporting. Concision is useful, but not if it collapses the legal and governance distinctions that make the issue intelligible.

DORA and AI make misclassification and weak oversight more serious

The DORA and AI crossovers become much more useful once the classification problem is understood. 

DORA sharpens the consequences of weak third-party oversight by asking not only whether the relationship is contractually manageable, but whether the organisation has become operationally dependent on a provider in a way that changes the seriousness of any control weakness. A relationship that looks routine under a narrow privacy lens may be much more significant once criticality, substitutability, concentration and resilience are considered.

AI sharpens a different aspect of the problem. Many AI-enabled services are more difficult to characterise neatly because the provider’s role may not fit comfortably within a pure processor model. There may be complex service architectures, layered sub-processing, separate safety or abuse-monitoring functions, telemetry, service-improvement claims, model-related uses or contractual positions that are superficially reassuring but operationally difficult to verify. In that environment, misclassification becomes more likely and the limits of oversight become more important.

In AI-enabled services, the privacy question is often not simply whether the vendor presents risk, but whether the organisation has correctly understood what role the vendor is actually playing in relation to the data.

That point matters because it changes what should be escalated. The issue may not be obvious non-compliance. It may be that the organisation is relying on a legal description of the vendor relationship that is too simplistic for the service it is actually using, or that it is accepting a level of opacity that should be understood and approved at a higher level.

What a mature privacy review of vendor relationships should actually involve

A mature review of vendor relationships should therefore go further than checking whether contractual templates have been completed. The privacy function should be asking what personal data is actually involved, what the service is genuinely doing with it, who is determining the purposes and essential means, whether different parts of the relationship need to be analysed differently, whether the agreements in place reflect that structure, and whether the oversight model matches the legal model that has been chosen.

That may sound obvious, but it is often not what happens in practice. In many organisations, the legal characterisation is inherited from procurement assumptions, vendor paper or previous practice. The privacy team is then asked only to validate the documentation rather than the underlying analysis.

That is not enough where the relationship is material. A stronger approach requires the DPO or privacy manager to test whether the documentation corresponds to the actual flows and the actual balance of decision-making. It also requires the privacy function to identify where the organisation’s practical ability to monitor, challenge or revisit the relationship is weaker than the paperwork suggests.

The useful privacy review is not the one that asks whether there is a DPA on file. It is the one that can explain why the arrangement has been classified as it has, what legal consequences follow from that classification, and where the organisation’s practical ability to oversee the position is limited.

That is the level at which vendor oversight starts to become defensible rather than merely documented.

Why this matters for the DPO or privacy manager

For a DPO or privacy manager, vendor oversight is one of the clearest tests of whether the privacy function is operating at governance level. A narrow review of contractual wording may satisfy a process requirement, but it does not tell the organisation much about whether it has understood the relationship correctly or whether its accountability position is robust.

The real value lies in being able to identify where the organisation has defaulted too quickly to a processor model, where a data sharing arrangement is more appropriate, where joint controllership needs to be recognised, where hybrid structures need more precise documentation, and where the practical ability to oversee the relationship is weaker than the formal paperwork implies.

That is not simply a matter of technical legal precision. It affects how the organisation explains the relationship internally, how it allocates controls, how it handles incidents, what it tells data subjects, what it reports to management, and what it is realistically able to defend if asked to justify the arrangement later.

The DPO’s role is not to make vendor arrangements look tidy. It is to make the organisation’s accountability position intelligible and defensible.

That is why this topic deserves more than a standard processor oversight discussion. The harder and more useful question is not whether the supplier has signed the right clauses, but whether the organisation has correctly understood what kind of relationship it has created and what that means for governance in practice.

Takeaway

A useful next step for any DPO or privacy manager is to look again at vendor relationships that are currently treated as settled. Which of them are genuinely processor arrangements? Which are better understood as controller-to-controller disclosures? Which contain mixed elements that are being collapsed into one legal label for convenience? Which may in fact involve joint determination of purpose and means? And where is the organisation relying on a contractual form that is easier to administer than the relationship is to defend?

The practical challenge is not simply to ensure that vendors are documented. It is to ensure that they are documented on the right legal basis, governed using the right accountability model, and reported internally in a way that reflects the actual nature of the exposure the organisation has chosen to accept.

This article is intended to support the learning covered in Hour 4 of our XpertAcademy CPD programme. The relevant CPD certificate is issued for completion of the full one-hour session on XpertAcademy, rather than for reading this article on its own. You can return to the course here: CPD Event A: Full-Day Regulatory Privacy Training.

Related Articles

EDPB Annual Report for 2025
Privacy CPD

EDPB Annual Report for 2025

A practical analysis of the EDPB’s 2025 Annual Report, exploring what its guidance, enforcement priorities and cross-regulatory work mean for organisations, governance, AI oversight and privacy compliance in practice.
bx-arrow
AI Governance and Data Protection Impact Assessments (DPIAs)
GDPR DPO

AI Governance and Data Protection Impact Assessments (DPIAs)

A practical guide for DPOs and compliance teams on using DPIAs to structure AI governance, manage risk, and build defensible, scalable processes aligned with GDPR and the EU AI Act.
bx-arrow
DPC and EDPB Annual Reports for 2024
Privacy CPD

DPC and EDPB Annual Reports for 2024

A practical reading of the DPC and EDPB Annual Reports for 2024, highlighting the compliance themes, operational risks and governance issues organisations should now review and escalate internally.
bx-arrow

Ready to start your Data Protect journey with us?

Get in Touch
Data Protection Officer Services