Navigated to blog › gdpr-article-28-csv-tools
Back to Blog
csv-operations

GDPR Article 28 and CSV Tools: When Does a DPA Apply?

March 16, 2026
15
By SplitForge Team

Quick Answer

A CSV tool is likely a GDPR processor when it receives EU personal data on its servers and processes it on your instructions.

This triggers Article 28: you must have a signed Data Processing Agreement before processing begins — not after. Using a cloud CSV tool without a DPA may be a violation regardless of whether the data was misused.

The exception: A client-side tool that processes files in your browser, where no file contents reach any server, may not qualify as a processor for that activity — materially reducing or potentially eliminating the DPA obligation for raw file processing.

TL;DR: Under GDPR Article 28, any entity that processes personal data on your behalf is a processor — and you must have a Data Processing Agreement with them before processing begins. If a cloud CSV tool receives EU personal data on its servers and processes it on your instructions, it may be a processor. Using it without a DPA may be a violation of GDPR Article 28. Client-side tools that process files in your browser can materially reduce this exposure — for raw file contents that never reach a server, the processor relationship may not arise.

A startup used a popular online CSV tool to merge two customer lists before importing them to their CRM. The tool was fast, free, and well-reviewed. The lists contained names, email addresses, and purchase histories — standard EU customer data.

Three weeks later, a GDPR Subject Access Request came in from a customer asking which third parties had processed their data. The startup's data map listed their CRM, email platform, and payment processor. The CSV tool was not on it — because no one had thought to add it. It had never been through vendor due diligence. No DPA had ever been signed.

That CSV tool processed the customer's personal data. Under GDPR Article 4(8), it may have been a processor. Under Article 28, processing by a processor must be governed by a contract. The DPA that contract must take the form of was never executed.

The legal exposure is real and documented. In 2024, the Austrian DPA fined an organization for using a US-based analytics tool without adequate data processing safeguards — not because the data was misused, but because the contractual framework required by Article 28 was absent.

Regulatory requirements in this guide were verified against official GDPR text, the European Data Protection Board's guidelines on processors, and authoritative supervisory authority guidance. The vendor assessment framework in this guide reflects our direct experience evaluating the data handling architecture of CSV processing tools, March 2026.

Table of Contents

This guide is for: Data Protection Officers, legal and compliance counsel, IT procurement teams, and anyone responsible for vendor due diligence under GDPR.

The DPA Decision Flow: Does Your CSV Tool Need One?

This table gives the framework. The legal classification of any specific tool requires analysis — but this decision flow covers the most common scenarios.

QuestionIf YesIf No
Does the tool receive the file on a remote server?Likely a processor — DPA probably requiredMay not be a processor for raw file processing
Does the file contain EU personal data?Article 28 analysis appliesGDPR may not apply to this processing activity
Does the tool process the file on your instructions?Processor definition likely metTool may be acting as a controller in its own right
Does the tool offer a signed DPA?Proceed after signingDo not use for EU personal data without legal review
Does the tool explicitly process client-side with no server transmission?Article 28 processor relationship may not arise for raw file processing

Use this table as a starting point. Confirm the classification of any specific tool with qualified legal counsel.

Processor, Controller, or Neither? A Classification Matrix

This matrix gives DPOs a quick-reference tool for vendor classification. The final determination is always fact-specific — use this as a starting framework, not a legal conclusion.

Tool BehaviorLikely StatusGDPR ObligationWhat This Means in Practice
Receives file on server, processes on your instructions onlyProcessorDPA required (Art. 28)Must sign DPA before use; you control purposes
Receives file and also uses data for own purposes (training, analytics)Controller or Joint ControllerFull controller duties; potentially needs its own legal basisCannot be used for EU personal data without separate legal review
Processes file client-side only — no server transmission of file contentsMay not be a processor for raw file processingDPA may not be required for that activityVerify architecture with DevTools; confirm with counsel
Receives only anonymized data (all 18+ identifiers removed)Not a processor for that dataNo GDPR obligations for anonymous data (Recital 26)De-identify first; then transmit
Receives metadata only (file name, size, operation type — no file contents)Likely not a processor for file contentsLow risk; review what metadata is capturedReview privacy policy for telemetry scope

The critical distinction between processor and controller: A processor acts on your instructions and for your purposes — you remain in control of why the data is processed. A controller determines the purposes independently. If a CSV tool uses your uploaded data to improve its own product, it may be acting as a controller for that secondary use, triggering obligations under GDPR Article 6 (lawful basis) that are separate from Article 28.

What Is a Data Processor Under GDPR Article 4(8)?

GDPR Article 4(8) defines a "processor" as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."

Two elements must be present for the processor definition to apply. First, the entity must process personal data. Second, the processing must occur "on behalf of" the controller — meaning under the controller's instructions and for the controller's purposes.

When you use a CSV tool to clean, merge, or reformat a file containing EU customer data, and that tool processes the file on its servers according to your instructions, both elements are likely satisfied: the tool processes personal data, and it does so on your behalf to achieve your operational purpose.

The EDPB's Guidelines on the concepts of controller and processor clarify that the "on behalf of" element is met when an entity carries out processing activities as a service to a controller, where the controller retains control over the purposes of the processing. That describes exactly what a CSV tool does when it processes your customer data.

When Does a CSV Tool Become a Processor?

The legal determination is fact-specific, but the key questions are consistent across supervisory authority guidance.

Question 1: Does the tool process files on a remote server? If you upload a file and it is transmitted to a vendor's server for processing, the vendor's infrastructure is handling your EU personal data. This is the threshold condition for the processor analysis.

Question 2: Does the tool process the file on your instructions? CSV tools are designed to execute your specified operations on your data. The relationship is one of service — you instruct, the tool executes. This is the "on behalf of" element in Article 4(8).

Question 3: Does the tool's privacy policy or ToS reveal how the data is used? Some tools use uploaded data for purposes beyond the requested operation — training, analytics, service improvement. If a tool uses your data for its own purposes, it may be acting as a controller, not a processor. This distinction matters: a controller relationship does not require a DPA, but it creates different and potentially more serious GDPR obligations for the vendor.

Question 4: Does the tool offer a DPA? This is a practical proxy for the legal analysis. Legitimate SaaS processors typically offer DPAs because they understand their obligations under Article 28. A tool that does not offer a DPA may either be unaware of its GDPR obligations or may be deliberately avoiding the processor classification. Neither is a reassuring answer.

What a GDPR Article 28 DPA Must Contain

Article 28(3) specifies that the contract governing processor relationships must set out the subject matter, duration, nature, and purpose of the processing, the type of personal data, and the categories of data subjects. Beyond these basics, the DPA must stipulate that the processor:

  1. Processes personal data only on documented instructions from the controller — the processor cannot use your data for any purpose you have not authorized
  2. Ensures that persons authorized to process have committed themselves to confidentiality — the processor's staff must be bound by confidentiality obligations
  3. Implements all technical and organizational security measures required by Article 32
  4. Obtains prior written authorization before engaging sub-processors — and passes down equivalent DPA obligations to any sub-processor
  5. Assists the controller in responding to data subject rights requests — access, deletion, portability, rectification
  6. Assists the controller in ensuring compliance with security, breach notification, DPIA, and consultation obligations
  7. Returns or deletes all personal data after the service ends, at the controller's choice
  8. Makes available all information necessary to demonstrate compliance and submits to audits

Most CSV tool terms of service contain none of these obligations. A standard free-tier SaaS agreement is not a DPA. Signing a DPA means the processor has explicitly committed to each of these requirements in writing.

How Client-Side Processing Changes the Article 28 Analysis

The processor definition requires that the entity "process personal data." If no personal data ever reaches the vendor's infrastructure, the vendor may not be processing personal data on your behalf — and the Article 28 processor relationship may not arise for that activity.

Client-side CSV processing works as follows. When you open a file in a browser-based tool, the browser's File API reads the file from your local storage. A Web Worker thread — an isolated execution context within your browser, separated from any network connection — performs the processing operations. The results are written back to browser memory and made available for download. At no point does the file content leave your device.

For raw file contents that are processed entirely within this architecture, with no transmission to a remote server, the vendor does not process personal data on your behalf. The Article 28 processor analysis — which requires that the vendor process personal data — does not apply to that specific activity.

This analysis has limits. It applies to raw file processing only. Authentication, telemetry, crash reporting, and other tool functions may still involve server communication. Confirm with legal counsel that your specific tool's complete architecture supports the no-transmission conclusion before relying on it for compliance purposes.

Many CSV processing tools upload your file to remote servers. Many SaaS tools retain uploaded files temporarily for debugging, caching, or processing purposes — retention policies vary by vendor. For files containing EU personal data, this may create a processor relationship under GDPR Article 28, requiring a signed DPA before use. SplitForge processes files in Web Worker threads in your browser. For raw file contents, nothing is transmitted to any server — which can materially reduce Article 28 processor exposure for that specific activity.

Practical Steps for Assessing CSV Tools

Step 1: Determine whether your file contains EU personal data. Any file with information relating to identified or identifiable natural persons in the EU is covered by GDPR. Names, email addresses, account IDs, and behavioral data all qualify.

Step 2: Identify how the tool processes files. Is processing server-side (file transmitted to a remote server) or client-side (file processed in the browser without transmission)? The tool's privacy policy, architecture documentation, or a DevTools network verification can answer this question.

Step 3: If server-side, request a DPA before use. Contact the tool's DPO or legal team and request a Data Processing Agreement. If they cannot provide one, do not use the tool for EU personal data.

Step 4: Review the DPA against Article 28(3) requirements. A DPA that only says "we will keep your data secure" is not sufficient. The specific obligations listed in Article 28(3) must be addressed.

Step 5: Add the tool to your Records of Processing Activities. Article 30 requires controllers to maintain a record of processing activities. Every tool used to process EU personal data — including CSV tools — should appear in the RoPA with the DPA reference.

Step 6: Review sub-processor agreements. Article 28(2) requires the processor to obtain your authorization before engaging sub-processors. Ask the tool whether it uses sub-processors for file processing (cloud infrastructure, CDNs, etc.) and confirm those sub-processors are subject to equivalent DPA obligations.

What a Real Vendor Review Looks Like

This is what running the Article 28 assessment looks like for a typical cloud-based CSV processing tool. The tool name is generic — apply this framework to any vendor you are evaluating.

Assessment CriterionTypical Cloud CSV ToolClient-Side Tool (e.g., SplitForge)
File processing locationRemote server (files transmitted on upload)Browser only (no transmission for raw file contents)
DPA offered?Often no; review ToS carefullyNot required for raw file processing
File retention periodVaries; many retain temporarily for debuggingZero — file never reaches vendor infrastructure
Sub-processorsCloud infrastructure (AWS, GCP, Azure) typically involvedNone for file processing
GDPR Article 28 statusLikely a processor — DPA required before useMay not be a processor for raw file processing
Article 25 Privacy by DesignUsing server-side tool when client-side alternative exists may be inconsistentClient-side is the Privacy by Design implementation
RoPA entry required?Yes — document tool, DPA reference, data categoriesDocument the tool; DPA entry may not be required
What to do if DPA unavailableDo not use for EU personal dataNot applicable for raw file processing

Practical outcome of this assessment: If you cannot obtain a DPA from a cloud CSV tool before use, and the tool receives EU personal data on its servers, you should not use it for that data. This is not a risk calculation — it is the requirement under Article 28.

Additional Resources

Official GDPR Regulation Text:

Supervisory Authority Guidance:

Standard Contractual Resources:

FAQ

Not necessarily. A tool is a processor only if it processes personal data on your behalf. If the tool processes files entirely client-side — in your browser, without transmitting file contents to any server — the vendor may not be processing personal data on your behalf, and the processor classification for that activity may not apply. If the tool processes files on remote servers, the default position is that it likely qualifies as a processor, and an Article 28 DPA is required.

Violations of Article 28 can attract fines under Article 83(4), which carries a maximum of €10 million or 2% of global annual turnover (whichever is higher). Beyond the fine risk, operating without a DPA means you have no contractual rights against the processor if a breach occurs — no obligation on them to notify you, no right to audit, no guaranteed deletion. The contractual protections in a DPA exist to protect you as much as to satisfy regulatory requirements.

Yes, but most are not. Incorporating adequate DPA provisions into a SaaS agreement is technically possible, and some vendors do it. But a generic "data security" clause or a reference to "industry-standard security practices" does not satisfy the specific requirements of Article 28(3). The DPA must address each of the eight obligations enumerated in Article 28(3) — including sub-processor authorization, data subject rights assistance, and post-service deletion.

These are two distinct instruments addressing two different obligations. An Article 28 DPA governs the controller-processor relationship — it specifies how the processor may use the data and what safeguards they must implement. Standard Contractual Clauses under Chapter V govern international data transfers — they establish legal grounds for transferring EU personal data to countries outside the EEA. Some agreements combine both. A DPA alone does not authorize international transfers; SCCs (or another Chapter V mechanism) are required separately if the processor is outside the EEA.

No. GDPR Article 28(3) requires the processing to be "governed by a contract or other legal act under Union or Member State law." The DPA can be a schedule to a main service agreement, embedded in terms of service, or a standalone document. What matters is that the Article 28(3) obligations are explicitly covered in the written agreement — not what the document is called.

The "on behalf of" element in Article 4(8) requires that the entity process data for the controller's purposes, not its own. If a CSV tool also uses your uploaded data for its own purposes — training models, building analytics, improving its service — it may be acting as a joint controller or even a controller in its own right for those additional purposes. That is a more complex analysis with potentially more serious consequences. Review the tool's privacy policy for language about how uploaded data may be used beyond the requested operation.

Do not use the tool for EU personal data. A vendor that processes EU personal data on your behalf but refuses to sign a DPA is either unaware of their legal obligations or is deliberately avoiding them. Either way, using such a tool exposes you to Article 28 violations regardless of what the vendor's privacy page says. Document the refusal. Explore alternative tools that offer compliant data processing agreements.

Legal disclaimer: The content in this post is for informational purposes only and does not constitute legal advice. The processor classification of any specific tool requires analysis of its architecture, data practices, and relationship to your organization. Consult qualified legal counsel before drawing compliance conclusions.

Process CSV Data Without Processor Risk

Files processed entirely in your browser — no server receives the data
Reduce Article 28 processor exposure for raw file processing to near-zero
No DPA required for client-side processing of raw file contents
Handle 10 million rows locally — clean, merge, reformat without transmitting personal data

Continue Reading

More guides to help you work smarter with your data

ai-data-prep

AI-Ready Data Checklist: 10 Things to Verify Before Upload (2026)

Before uploading to ChatGPT, Claude, or a fine-tuning API, run through this 10-point checklist. UTF-8 encoding, clean headers, PII removed, size within limits.

Read More
ai-data-prep

Convert Excel to JSON for AI APIs and LLM Pipelines (2026)

AI APIs and LLM pipelines expect JSON, not spreadsheets. Fine-tuning needs JSONL; direct prompts take arrays. Convert locally — no upload, no conversion server.

Read More
ai-data-prep

Prepare Data for AI: The Complete Guide (Privacy-First, 2026)

How to prepare a CSV or Excel file for ChatGPT, Claude, or an AI API — encoding, PII, format, size, and privacy. The complete local-first prep workflow.

Read More