Article 28 GDPR (Processor)

Understanding Article 28 of GDPR

Selection of data processors

The law requires that data controllers select data processors who are able to provide sufficient guarantees to implement appropriate technical and organizational measures to comply with GDPR.

Use of sub-processors by the processor

A data process should engage another processor unless approved by the data controller. 

Should the data processor have sub-processors, the data processor must inform the controller of any change and give the data controller the opportunity to object.

Processing activities must be governed by a contract

GDPR requires that data controllers mandatorily enter into a contract with data processors outlining the following:

  1. Purpose of data processing
  2. Duration of data processing
  3. Nature of data processing
  4. Type of personal data processed
  5. Categories of data subjects affected
  6. Rights and obligations of the data controller

The contract must further stipulate the following:

  1. Data processing should only be done based on documented instructions from the data controller
  2. Data processor will only allow persons subject to confidentiality provisions to access personal data
  3. Data processor to implement technical and organizational security measures to protect and safeguard the personal data
  4. Data processor will not engage other data processors without the prior consent of the data controller
  5. If the data processor must hire a sub-processor, the data processor must flow-through its obligations in such a way that the processor’s obligations can be enforced on the sub-processor
  6. Assist the data controller to respond to a request made by data subjects
  7. Assist the controller to help controller comply with its data security, breach notification to the supervisory authority, breach communication to data subjects, perform a data protection impact assessment and perform any prior consultations with the supervisory authorities
  8. Based on the data controller’s choice, delete or return personal data
  9. Provide the data controller with any information demonstrating the data processor’s compliance with GDPR

Processors to flow-down contract obligations to sub-processors

When a data processor is authorized to engage a sub-processor, the processor must ensure that the sub-processor is bound by the same terms and conditions found in the contract between the data processor and data controller.

If the sub-processor does not meet its obligations, the data processor will be fully liable to the controller for the performance of its sub-processors.

Approved code of conduct

If the data processor can get an approved code of conduct as outlined in Article 40 or a certification referred under Article 42 of GDPR, they can use that to demonstrate they offer sufficient guarantees to process personal data.

Standard contractual clauses

The contract between the data controller and processor can be, in whole or in part, based on the standard contractual clauses.

Commission adopting standard contractual clauses

The law authorizes the commission to adopt standard contractual clauses allowing data controllers to use with data processors.

Supervisory authority adopting standard contractual clauses

The supervisor authorities are also authorized to adopt standard contractual clauses based on the consistency mechanism referred to under GDPR.

Contracts must be in writing

The contract between a data controller and data processor must be in writing including the electronic form.

When the data processor can be considered a controller 

When the data processor determines the purpose of data processing, the data processor will be considered a controller with regards to that processing activity.

Recitals applicable to Article 28 of GDPR

Relevant Recitals: 81

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation


GDPR Text: Article 28 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)

Article 28 GDPR Checklist

Download our Article 28 GDPR Checklist.