How do GDPR processor agreements interact with CADA tier evidence?

Summary As proposed, the Cloud and AI Development Act (CADA) creates a direct legal bridge between existing GDPR data processing agreements and the new Union cloud computing sovereignty framework. Recital 63 explicitly states that specific technical and organisational measures required by CADA to ensure personal data is processed in line with the regulation "could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679" (the GDPR) and "could be relied on to demonstrate that the necessary Union assurance levels are met." This mechanism applies not only to the main provider but also to its subcontractors, who are bound by the same agreements. For providers seeking recognition under Article 16 (the sovereignty framework) and undergoing audits under Article 20, this integration allows a single contractual instrument to satisfy dual compliance obligations, reducing administrative burden while strengthening the evidentiary basis for Union assurance levels 1 through 4.

Detail

The interaction between the General Data Protection Regulation (GDPR) and the proposed Cloud and AI Development Act (CADA) represents a strategic alignment of data protection and digital sovereignty. Rather than establishing a parallel, siloed compliance track for data protection, CADA proposes to embed sovereignty requirements into the existing, well-understood framework of data governance. This is particularly critical for cloud service providers and data centre operators seeking recognition under the Union cloud computing sovereignty framework established in Article 16.

Recital 63: The Legal Bridge Between GDPR and CADA

The core of this interaction is found in Recital 63 of the CADA proposal. It addresses the operational overlap between CADA's sovereignty criteria and the GDPR's strict requirements for cross-border data processing and subcontracting. The recital states:

"Where cloud computing services are used to process personal data, Regulation (EU) 2016/679 provides for an obligation to agree on organisational and technical measures to comply with that Regulation. Where the cloud computing service provider relies on subcontractors in the provision of the services, the same agreements apply to the subcontractors. Where specific technical and organisational measures should be implemented pursuant to this Regulation to ensure that personal data are processed in line with this Regulation, such specific measures could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679 and could be relied on to demonstrate that the necessary Union assurance levels are met."

This provision serves two critical, interconnected functions for providers:

1. Contractual Consolidation: It permits the inclusion of CADA-specific technical and organisational measures—such as strict data localisation, granular access controls, or specific audit rights relevant to Union assurance levels—directly into the GDPR Article 28 data processing agreement (DPA). This avoids the need for separate, redundant contractual instruments solely for CADA compliance, allowing providers to leverage their existing legal infrastructure.
2. Evidence for Assurance Levels: It explicitly validates these consolidated agreements as admissible evidence that a provider has met the necessary Union assurance levels. This is crucial because Article 16 establishes four Union assurance levels (1–4), each with cumulative criteria. For levels 2, 3, and 4, providers must undergo independent third-party audits under Article 20. The audit evidence required is detailed in Annex III of the proposal. By allowing GDPR agreements to carry CADA measures, providers can present their DPAs as primary documentary evidence demonstrating compliance with sovereignty criteria related to personal data processing.

Application Across Assurance Levels

The utility of this interaction varies by assurance level, reflecting the increasing stringency of the sovereignty framework:

• Union Assurance Level 1: Providers must perform a conformity self-assessment under Article 19. While less rigorous than higher tiers, providers must still demonstrate that customer data remains exclusively within the Union unless explicitly required otherwise by the public sector body. A GDPR DPA that explicitly mandates Union-only data processing and restricts third-country access can serve as the primary documentary evidence for this self-assessment, satisfying the criteria in Annex II regarding data localisation.
• Union Assurance Levels 2, 3, and 4: These levels require independent audits under Article 20. Auditing organisations must assess compliance against criteria in Annex II using evidence from Annex III. For example, Audit Criterion C in Annex III requires evidence demonstrating that customer data is stored and processed exclusively in the Union. A GDPR DPA containing specific technical measures (e.g., encryption keys held only in the Union, strict access logs, and prohibitions on data transfer) can satisfy this evidentiary requirement. Furthermore, Audit Criterion G requires assessing the absence of third-country control. If a DPA includes clauses preventing third-country authorities from accessing data or compelling service degradation, this supports the audit opinion regarding sovereignty risks.

Subcontractor Obligations and Supply Chain Integrity

Recital 63 explicitly notes that "where the cloud computing service provider relies on subcontractors in the provision of the services, the same agreements apply to the subcontractors." This aligns with GDPR Article 28(4), which requires controllers to impose the same data protection obligations on processors. Under CADA, this means that the sovereignty measures embedded in the main DPA must flow down to the entire subcontractor chain.

For providers seeking Union assurance levels 2–4, Annex II requires that subcontractors involved in the provision of the service must also meet specific criteria (e.g., being established in the Union, having infrastructure in the Union, and in some cases, employing Union citizens). The GDPR DPA mechanism becomes the legal vehicle to enforce these CADA sovereignty criteria on the subcontractor chain. By embedding CADA requirements into the DPA, the provider ensures that the entire supply chain is contractually bound to the same sovereignty standards, making the supply chain auditable and compliant as a single unit.

Audit Evidence and Article 20

Under Article 20, auditing organisations must issue an audit report and an audit opinion. The quality and content of audit evidence are governed by Article 21 and Annex III. The proposal states that audit evidence must be "relevant and sufficient" and "reliable." By integrating CADA measures into GDPR agreements, providers create a single source of truth for auditors.

Auditors can verify that the contractual obligations (GDPR) align with the sovereignty requirements (CADA), reducing the complexity of the audit process. This is particularly important for Article 17 recognition, where the competent authority of establishment reviews the audit report. A coherent DPA that satisfies both GDPR and CADA requirements strengthens the provider's case for recognition. It demonstrates that the provider has not only implemented technical measures but has also legally codified them in a binding framework that is already familiar to regulators and auditors.

What this means for you

For cloud service providers and data centre operators, this integration offers a pathway to streamline compliance but requires careful contract drafting and strategic planning.

1. Review and Update DPAs: You should review your standard GDPR data processing agreements to ensure they are capable of accommodating CADA-specific technical and organisational measures. This includes adding clauses on strict data localisation, restrictions on third-country access, specific audit rights that go beyond standard GDPR requirements, and explicit prohibitions on service disruption or degradation by third-country actors.
2. Flow-Down to Subcontractors: Ensure that your subcontractor agreements mirror the enhanced DPAs. Recital 63 confirms that subcontractors are bound by the same agreements, so your supply chain must be contractually aligned with CADA sovereignty criteria. Failure to update these flow-down agreements could invalidate your evidence for higher assurance levels.
3. Prepare for Audit: When preparing for audits under Article 20, highlight your DPAs as key evidence. Demonstrate to auditing organisations that your contractual framework explicitly mandates the technical and organisational measures required for your target Union assurance level. This can simplify the audit process by providing clear, verifiable contractual commitments that auditors can easily map to Annex II criteria.
4. Monitor Secondary Legislation: The specific technical and organisational measures may be further defined in delegated or implementing acts. Stay updated on these developments to ensure your DPAs remain compliant with evolving CADA requirements, as the Commission may refine the list of measures that can be "foreseen" in GDPR agreements.

Common misconceptions

"CADA replaces GDPR." No. CADA does not replace GDPR. It complements it. Recital 63 explicitly references GDPR obligations, confirming that both regimes apply simultaneously. Providers must comply with both the GDPR's data protection rules and CADA's sovereignty criteria. The GDPR remains the primary legal basis for data protection, while CADA adds the layer of sovereignty.

"Any standard GDPR DPA is sufficient for CADA." No. Standard GDPR DPAs may not include the specific technical and organisational measures required for Union assurance levels, such as strict data localisation or bans on third-country access. Providers must actively incorporate CADA-specific measures into their DPAs to leverage Recital 63. A generic DPA without these specific clauses will likely fail to provide sufficient evidence for higher assurance levels.

"Subcontractors are exempt from CADA measures if they are not directly audited." No. Recital 63 explicitly states that "the same agreements apply to the subcontractors." Providers are responsible for ensuring that their subcontractors comply with the CADA measures embedded in the DPAs. For assurance levels 2–4, the criteria in Annex II explicitly require that subcontractors meet the same establishment and infrastructure criteria as the main provider.

"CADA only applies to public sector data." While the procurement obligations in Article 30 apply to public sector bodies, the sovereignty framework in Article 16 and the recognition mechanism apply to any cloud computing service provider seeking to be recognised as offering Union assurance levels. The interaction with GDPR is relevant for any provider processing personal data, regardless of the customer type, as the criteria in Annex II apply to the service itself.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Which existing EU certifications can be reused as CADA tier evidence?
• CADA vs GDPR: How Processor Due Diligence Changes Under the New Sovereignty Framework
• How does CADA interact with the GDPR?
• Why is the GDPR not enough to achieve cloud sovereignty under CADA?
• What GDPR roles do cloud providers keep under CADA?

This is general information about a draft EU regulation, not legal advice.