Understanding Article 28 of GDPR
Selection of data processors
The law requires that data controllers select data processors who are able to provide sufficient guarantees to implement appropriate technical and organizational measures to comply with GDPR.
Use of sub-processors by the processor
A data process should engage another processor unless approved by the data controller.
Should the data processor have sub-processors, the data processor must inform the controller of any change and give the data controller the opportunity to object.
Processing activities must be governed by a contract
GDPR requires that data controllers mandatorily enter into a contract with data processors outlining the following:
- Purpose of data processing
- Duration of data processing
- Nature of data processing
- Type of personal data processed
- Categories of data subjects affected
- Rights and obligations of the data controller
The contract must further stipulate the following:
- Data processing should only be done based on documented instructions from the data controller
- Data processor will only allow persons subject to confidentiality provisions to access personal data
- Data processor to implement technical and organizational security measures to protect and safeguard the personal data
- Data processor will not engage other data processors without the prior consent of the data controller
- If the data processor must hire a sub-processor, the data processor must flow-through its obligations in such a way that the processor’s obligations can be enforced on the sub-processor
- Assist the data controller to respond to a request made by data subjects
- Assist the controller to help controller comply with its data security, breach notification to the supervisory authority, breach communication to data subjects, perform a data protection impact assessment and perform any prior consultations with the supervisory authorities
- Based on the data controller’s choice, delete or return personal data
- Provide the data controller with any information demonstrating the data processor’s compliance with GDPR
Processors to flow-down contract obligations to sub-processors
When a data processor is authorized to engage a sub-processor, the processor must ensure that the sub-processor is bound by the same terms and conditions found in the contract between the data processor and data controller.
If the sub-processor does not meet its obligations, the data processor will be fully liable to the controller for the performance of its sub-processors.
Approved code of conduct
If the data processor can get an approved code of conduct as outlined in Article 40 or a certification referred under Article 42 of GDPR, they can use that to demonstrate they offer sufficient guarantees to process personal data.
Standard contractual clauses
The contract between the data controller and processor can be, in whole or in part, based on the standard contractual clauses.
Commission adopting standard contractual clauses
The law authorizes the commission to adopt standard contractual clauses allowing data controllers to use with data processors.
Supervisory authority adopting standard contractual clauses
The supervisor authorities are also authorized to adopt standard contractual clauses based on the consistency mechanism referred to under GDPR.
Contracts must be in writing
The contract between a data controller and data processor must be in writing including the electronic form.
When the data processor can be considered a controller
When the data processor determines the purpose of data processing, the data processor will be considered a controller with regards to that processing activity.
Recitals applicable to Article 28 of GDPR
Relevant Recitals: 81
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
GDPR Text: Article 28 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)
Download our Article 28 GDPR Checklist.