While a data processing agreement may seem to protect the data controller from legal problems when a processor mishands their data, it actually does much more than that. This prevents managers from using a data processor that flies away quickly and smoothly, as the contract requires the subcontractor to meet certain requirements and the data controller must play his or her part in meeting those requirements. By granting instructions, establishing procedures and imposing requirements for the safe and lawful processing of data, the data controller not only protects himself, but also ensures that the processor acts within the limits imposed by the GDPR to protect his data subjects. Article 35 sets out the data protection impact assessments, including when and how they should be carried out. . . .