LIVE · v1.1 STABLE
BUILD 2026.05.27
ART. 28 · 26
AGPL-3.0 · 8 EVAL CASES · 72 ASSERTIONS

PROCESSOR
CONTRACTS
by CLAUSE,
NOT FAITH.

Reviews, drafts, and redlines controller-processor contracts under Art. 28 GDPR and joint-controller arrangements under Art. 26. Quick Art. 28(3)(a)–(h) coverage check, negotiation-grade clause scoring, greenfield drafting, counterparty redlining, and joint-controller arrangements — bilingual DE / EN, controller- or processor-side.

GDPR ART. 28   ·   GDPR ART. 28(3)(a)–(h)   ·   GDPR ART. 26   ·   GDPR ART. 32   ·   GDPR ART. 9 · 10   ·   DECISION (EU) 2021/915   ·   DECISION (EU) 2021/914   ·   SCC MODULES 1–4   ·   EDPB 07/2020   ·   AVV   ·   TOMS   ·   JCA   ·   GDPR ART. 28   ·   GDPR ART. 28(3)(a)–(h)   ·   GDPR ART. 26   ·   GDPR ART. 32   ·   GDPR ART. 9 · 10   ·   DECISION (EU) 2021/915   ·   DECISION (EU) 2021/914   ·   SCC MODULES 1–4   ·   EDPB 07/2020   ·   AVV   ·   TOMS   ·   JCA
§ 01 · CAPABILITIES

SIX PRIMITIVES.
One SKILL.

Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.

01
FIVE-MODE ROUTER
Classifies every request into REVIEW_QUICK, REVIEW_NEG, DRAFT, REDLINE, or JOINT_CONTROLLER before any work starts. Mode flips mid-task are expected and surfaced.
02
ART. 28(3) COVERAGE
Each (a)–(h) obligation marked PASS / WEAK / GAP / DEFECT with a one-line reason, plus the chapeau elements: subject matter, duration, nature, purpose, data types, categories of data subjects.
03
CLAUSE-BY-CLAUSE SCORING
Negotiation-grade table: clause #, obligation, current-text gist, issue, risk tier (1 blocker / 2 material / 3 polish), proposed fix. Plus walk-away conditions.
04
TEMPLATE LIBRARY
Commercial / hybrid / strict DPA tiers and JCA, each in DE and EN. Tier 2/3 incorporate Commission Decision (EU) 2021/915. Annex 1 always tailored to the real processing.
05
SCC INTEGRATION
Bolts Decision (EU) 2021/914 Modules 1–4 onto a DPA when data leaves the EEA. Specifies module, Annexes I.A/I.B/I.C/II/III, signature mechanism, and TIA reference.
06
JOINT-CONTROLLER MODE
Art. 26 arrangements with EDPB 07/2020 role analysis, an allocation matrix, and the Art. 26(2) public summary. A JC arrangement is never papered as a DPA.
§ 02 · WORKFLOW

FROM INPUT
to ARTEFACT.

Twelve structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.

01
Mode routing
Classify into REVIEW_QUICK, REVIEW_NEG, DRAFT, REDLINE, or JOINT_CONTROLLER. If unclear, ask — the depth difference is material.
02
Roles confirmation
Who is controller, who is processor? If both might be controllers, run the Art. 26 vs Art. 28 screen before proceeding.
03
Perspective & language
Controller-favorable, processor-favorable, or balanced. DE / EN / bilingual — default matches the source document.
04
Tier selection
DRAFT and REDLINE: Tier 1 Commercial / Tier 2 Strict (2021/915 unmodified) / Tier 3 Hybrid. Walk the decision tree if not pre-selected.
05
Processing scenario
Subject matter, nature, purpose, data categories, data subjects, duration. Without it, drafting is impossible and review is shallow — request it.
06
Transfers & sub-processors
International transfers in scope? Load the SCC module guide and flag early. Sub-processors: general, specific, or none.
07
Art. 28(3) analysis
Coverage table for quick review; clause-by-clause risk scoring for negotiation-grade. All eight (a)–(h) obligations plus chapeau.
08
Annex review
Annex 1 processing description, Annex 2 TOMs mapped to Art. 32(1)(a)–(d), Annex 3 sub-processors, Annex 4 transfers + SCCs.
09
Negotiation strategy
Must-have / should-have / nice-to-have, sequenced for the real negotiation. Define walk-away conditions.
10
Quality gates
Roles confirmed, all (a)–(h) covered, deletion/return choice defined, audit rights specified, language consistent.
11
Output generation
Coverage table, clause table, marked-up redline, drafted DPA, or JCA — per mode, in the requested language(s).
12
Practitioner's note
What the user should do next: sign / push back / request information / escalate. Appended to every client deliverable.
§ 03 · MODES

FIVE PATHS.
One OUTCOME.

Match the workflow to the situation. The skill router picks automatically; you can override.

REVIEW_QUICK
Fast Art. 28(3)(a)–(h) coverage check with PASS/WEAK/GAP/DEFECT labels, top 3 issues, and a sign / sign-with-side-letter / do-not-sign recommendation. ~30 min.
REVIEW_NEG
Negotiation-grade clause-by-clause risk scoring, annex review, sequenced negotiation strategy, and walk-away conditions. ~2–3 h of analytical work.
DRAFT
Greenfield DPA / AVV from a chosen template tier, with Annexes 1–4 populated from intake and drafting notes for alternatives and assumptions.
REDLINE
Marked-up counterparty draft — additions bold, deletions struck — preserving their clause numbering, plus a cover memo with fallback positions and a side-letter draft.
JOINT_CONTROLLER
Art. 26 arrangement: role analysis anchored to EDPB 07/2020, JCA body, allocation matrix, and the Art. 26(2) public summary for data subjects.
§ 04 · ANATOMY

WHAT'S
IN the SKILL.

Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof.

dpa-art28/
├── evals  # Test cases + assertions
│   └── evals.json  # 8 cases, 72 assertions
├── references  # Reference corpus
│   ├── 2021-915-commission-text-de.md
│   ├── 2021-915-commission-text-en.md
│   ├── art26-joint-controller.md
│   ├── art28-3-checklist.md
│   ├── common-defects.md
│   ├── negotiation-fallbacks.md
│   ├── sccs-module-guide.md
│   └── tier-selection.md
├── templates
│   ├── dpa-commercial-de.md
│   ├── dpa-commercial-en.md
│   ├── dpa-hybrid-de.md
│   ├── dpa-hybrid-en.md
│   ├── dpa-strict-de.md
│   ├── dpa-strict-en.md
│   ├── jca-de.md
│   └── jca-en.md
├── workflows
│   ├── draft.md
│   ├── joint-controller.md
│   ├── redline.md
│   ├── review-negotiation.md
│   └── review-quick.md
├── CHANGELOG.md  # Version history
├── README.md  # Deployment guide
└── SKILL.md  # Main skill instructions
§ 05 · DEPLOYMENT

INSTALL
and INVOKE.

Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.

CLAUDE.AI USER SKILLS

  1. Settings → Profile → Custom Skills
  2. Upload the entire dpa-art28/ folder
  3. Skill auto-triggers on relevant keywords

CLAUDE CODE / MCP

  1. Copy folder to your skills directory:
cp -r dpa-art28/ \
   ~/.claude/skills/user/
§ 06 · OUTPUTS

WHAT YOU
get BACK.

Every output is documented, version-pinned, and traceable to its source citation.

Art. 28(3) coverage table
Each (a)–(h) obligation and the chapeau elements marked PASS / WEAK / GAP / DEFECT with a one-line reason.
Clause-by-clause risk table
Negotiation-grade: clause #, obligation, current-text gist, issue, risk tier (1/2/3), proposed fix, walk-away conditions.
Drafted DPA / AVV
Complete main body plus Annex 1 (processing), Annex 2 (TOMs), Annex 3 (sub-processors), Annex 4 (transfers) in the requested language(s).
Redline + cover memo
Marked-up counterparty draft with changes summary, per-clause rationale, fallback positions, and expected pushback. Optional side letter.
Joint Controller Arrangement
Art. 26 JCA body, allocation matrix, and the Art. 26(2) public summary made available to data subjects.
Practitioner's note
Next-step synthesis: sign / push back / request information / escalate — with residual risk documented.
§ 07 · EVALS

TESTED
before SHIPPED.

Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.

08
Test Cases
72
Assertions
100%
Coverage Required
01
REVIEW_QUICK — Vendor sent us this DPA
9 ASSERTS
02
REVIEW_NEG — The processor's draft includes this breach notification clause: 'Pr...
9 ASSERTS
03
DRAFT — Please draft a STRICT-tier (Tier 2 — 2021/915 unmodified) DPA in German
10 ASSERTS
04
REDLINE — Counterparty sent us a DPA that mixes Art
9 ASSERTS
05
JOINT_CONTROLLER — Two companies are running a co-branded marketing campaign
10 ASSERTS
06
REVIEW_NEG — The processor's audit clause states: 'Controller may audit Processo...
8 ASSERTS
07
Multi-jurisdictional DPA — Controller is in Germany, processor is in Ireland (EE...
8 ASSERTS
08
Public-sector DPA — A German Bundesland (federal state) authority is the control...
9 ASSERTS
§ 08 · REGULATORY BASIS

WHAT IT
cites.

Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.

GDPR Article 28
Controller-processor relationship; mandatory DPA content under Art. 28(3)(a)–(h).
GDPR Article 26
Joint controller arrangements and the Art. 26(2) public summary.
GDPR Articles 32, 9 & 10
Technical and organisational measures; enhanced TOMs for special-category and criminal-conviction data.
Commission Decision (EU) 2021/915
EU-wide standard contractual clauses for controller-processor agreements (Tiers 2/3).
Commission Decision (EU) 2021/914
International-transfer SCCs, Modules 1–4, for data leaving the EEA.
EDPB Guidelines 07/2020
Concepts of controller and processor — anchors the Art. 26 vs Art. 28 role screen.
§ 09 · TRUST

EVERY STEP,
auditable.

The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.

§
Source-anchored output.
Every coverage verdict, clause score, and role determination traces to Art. 28, Art. 26, or the cited Commission Decision.
VERIFIED
Reproducible decisions.
The structured envelope — mode router, (a)–(h) table, risk tiers — recreates the same analysis for audit or negotiation defence.
IMMUTABLE
Quality gates before delivery.
Roles confirmed, all eight obligations covered, deletion-choice and audit rights specified — checked before any output ships.
ENFORCED
**
EU-native.
Built on the German AVV register, Commission Decisions 2021/915 and 2021/914, and EDPB role guidance. Bilingual by design, not back-translated.
NATIVE

DPA Art. 28 GDPR — Deployment Guide

📄 View the interactive skill page →

See CHANGELOG.md for version history.

Overview

DPA Art. 28 GDPR — review, drafting, and redlining of Data Processing Agreements (AVV / Auftragsverarbeitungsvertrag) and Art. 26 Joint Controller Arrangements:

  • 5 operating modes routed automatically — REVIEW_QUICK, REVIEW_NEG (negotiation-grade), DRAFT, REDLINE, JOINT_CONTROLLER
  • Bilingual output — DE and EN, parallel quality
  • Two perspectives — controller-side and processor-side reviews
  • Two review depths — quick (Art. 28(3)(a)–(h) coverage check) and negotiation-grade (clause-by-clause risk scoring)
  • Commission SCC anchor — built on Commission Implementing Decision (EU) 2021/915
  • Template library — commercial, hybrid, and strict DPA templates (DE + EN); JCA templates (DE + EN)
  • Common-defects catalog for fast spotting in vendor-provided drafts
  • Negotiation fallback positions — pre-drafted alternative language for contentious clauses
  • SCC module guide — when and how to bolt Modules 1–4 onto a DPA for international transfers
  • Tier selection helper — match commercial / hybrid / strict template to deal context
  • Strict quality gates — verified Art. 28(3) coverage before delivery

File Structure

dpa-art28/
├── SKILL.md                                       # Main skill instructions (deploy this)
├── CHANGELOG.md                                   # Version history
├── references/
│   ├── 2021-915-commission-text-en.md             # Commission Implementing Decision (EU) 2021/915 — EN
│   ├── 2021-915-commission-text-de.md             # Commission Implementing Decision (EU) 2021/915 — DE
│   ├── art28-3-checklist.md                       # Art. 28(3)(a)–(h) coverage checklist
│   ├── art26-joint-controller.md                  # Art. 26 JCA framework
│   ├── common-defects.md                          # Vendor-DPA defect catalog
│   ├── negotiation-fallbacks.md                   # Fallback positions for contentious clauses
│   ├── sccs-module-guide.md                       # International-transfer SCC integration
│   └── tier-selection.md                          # Commercial / hybrid / strict tier helper
├── templates/
│   ├── dpa-commercial-de.md                       # Commercial DPA — DE
│   ├── dpa-commercial-en.md                       # Commercial DPA — EN
│   ├── dpa-hybrid-de.md                           # Hybrid DPA — DE
│   ├── dpa-hybrid-en.md                           # Hybrid DPA — EN
│   ├── dpa-strict-de.md                           # Strict DPA — DE
│   ├── dpa-strict-en.md                           # Strict DPA — EN
│   ├── jca-de.md                                  # JCA template — DE
│   └── jca-en.md                                  # JCA template — EN
└── workflows/
    ├── review-quick.md                            # REVIEW_QUICK procedure
    ├── review-negotiation.md                      # REVIEW_NEG procedure
    ├── draft.md                                   # DRAFT procedure
    ├── redline.md                                 # REDLINE procedure
    └── joint-controller.md                        # JOINT_CONTROLLER procedure

Deployment

Claude.ai (User Skills)

  1. Go to Settings → Profile → Custom Skills (or equivalent)
  2. Upload the entire dpa-art28/ folder structure
  3. The skill will auto-trigger on "DPA", "AVV", "Auftragsverarbeitung", "Art. 28 contract", "redline this DPA", "JCA", or "joint controller agreement"

Claude Code / Custom MCP Setup

  1. Copy the dpa-art28/ folder to your skills directory: bash cp -r dpa-art28/ /path/to/your/skills/user/dpa-art28/
  2. Ensure the skill is registered in your configuration

Usage

Quick Start

Paste a DPA or ask for one:

"Review this DPA from a vendor — we're the controller. Quick check first, then tell me what's missing under Art. 28(3) and what I should push back on."

Or:

"Draft a strict-tier DPA in German for an EU-based processor handling employee data, including SCCs Module 2 for our US subsidiary."

Trigger Phrases

  • "DPA" / "AVV" / "Auftragsverarbeitung" / "Auftragsverarbeitungsvertrag"
  • "Art. 28 contract" / "Data processing agreement" / "Processor agreement"
  • "Review this DPA" / "Draft a DPA" / "Redline this DPA"
  • "Art. 26 arrangement" / "JCA" / "Joint controller agreement"

Mode Router

Mode When
REVIEW_QUICK Fast Art. 28(3)(a)–(h) coverage check
REVIEW_NEG Negotiation-grade clause-by-clause risk scoring
DRAFT Produce a new DPA from a chosen template tier
REDLINE Mark up an existing draft with proposed changes
JOINT_CONTROLLER Art. 26 Joint Controller Arrangement workflow

Capabilities Summary

Feature Description
Bilingual (DE/EN) Parallel quality across both languages
Dual Perspective Controller-side and processor-side review
Commission SCC Built on Implementing Decision (EU) 2021/915
Template Library 3 DPA tiers × 2 languages + JCA × 2 languages
Defect Catalog Common vendor-DPA defects with diagnostic signals
Negotiation Fallbacks Pre-drafted alternative language for contested clauses
SCC Integration International-transfer module guidance (Modules 1–4)
Tier Selection Commercial / hybrid / strict matched to deal context
Quality Gates Verified Art. 28(3) coverage before delivery

Regulatory Basis

Document Reference
GDPR Art. 28 Controller-processor relationship
GDPR Art. 28(3)(a)–(h) Mandatory DPA content
GDPR Art. 26 Joint controller arrangements
Commission Implementing Decision (EU) 2021/915 EU-wide DPA standard contractual clauses
Commission Implementing Decision (EU) 2021/914 International transfer SCCs (Modules 1–4)

License & Disclaimer

This skill provides structured GDPR Art. 28 / Art. 26 contracting guidance. It is not legal advice. Negotiated DPAs and JCAs should be reviewed by qualified data protection counsel before signing.

Licensed under AGPL-3.0 — see LICENSE at the repo root.


Created by Oliver Schmidt-Prietz — OneZero Legal