Article 28 GDPR

From GDPRhub
Article 28 - Processor
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 28 - Processor

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32;
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).

8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Relevant Recitals

Recital 81: Entrusting a Processor
To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

Commentary

Complex processing often requires the outsourcing of certain activities to specialised service providers with whom personal data are then shared (“processors”). Article 28 GDPR addresses this scenario and establishes the legal framework for such cooperation, thereby ensuring the protection of the data subjects' rights as well as general GDPR compliance.

(1) Processor

Article 28 GDPR governs the relationship between the controller and the processor. Controllers can only work with processors who can provide guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. The controller must be able to demonstrate the required technical knowledge, expertise and resources to provide adequate guarantees.

The controller shall use only

The controller cannot engage processors who are unable to guarantee, with regard to their assigned portion of the processing, compliance with the GDPR and the protection of the data subject's rights. This prohibition is perfectly understandable. Conversely, the controller could reduce the guarantees provided by the GDPR simply by outsourcing parts of the processing that it prefers not to invest in. It follows that, before engaging any processor, the controller must carefully check that these requirements are met (see below).

Processor(s)

The concept of a "processor" is defined in Article 4(8) of the GDPR as any natural or legal person, public authority, or other entity that processes personal data on behalf of the controller. This means that, at least in principle, there are no specific limitations regarding the type of actor that can assume this role.

The processor must be a "separate entity". The controller must entrust the task to an external organization, which includes companies belonging to the same corporate group but does not include a department within the same company. Equally, there is no processor when the controller decides to assign a part of the processing to its employees or other individuals acting under its "direct authority", as outlined in Article 29 of the GDPR.

The separate entity must process data "on behalf of the controller". In other words, the controller decides on means and purposes (Article 4(7) GDPR) and the processor's activities are done for the benefit and under the instructions of the controller.[1] Processing data "on behalf of the controller" excludes any scenario of processing data for the processor's "own purposes." In such a situation, it is assumed that the "processor" has exceeded or otherwise violated the controller's lawful instructions,[2] becoming an independent controller itself as stated in Article 28(10) GDPR.

Example: from EPDB guidelines: "Service provider MarketinZ provides promotional advertisement and direct marketing services to various companies. Company GoodProductZ concludes a contract with MarketinZ, according to which the latter company provides commercial advertising for GoodProductZ customers and is referred to as data processor. However, MarketinZ decides to use GoodProducts customer database also for other purposes than advertising for GoodProducts, such as developing their own business activity. The decision to add an additional purpose to the one for which the personal data were transferred converts MarketinZ into a data controller for this set of processing operations and their processing for this purpose would constitute an infringement of the GDPR."

The nature of the service will determine whether the processing activity amounts to processing of personal data on behalf of the controller within the meaning of the GDPR.

EDPB: In practice, where the provided service is not specifically targeted at processing personal data or where such processing does not constitute a key element of the service, the service provider may be in a position to independently determine the purposes and means of that processing which is required in order to provide the service. In that situation, the service provider is to be seen as a separate controller and not as a processor. [3]

When considering whether or not to entrust the processing of personal data to a particular service provider, controllers should carefully assess whether the service provider in question allows them to exercise a sufficient degree of control, taking into account the nature, scope, context and purposes of processing as well as the potential risks for data subjects. A case-by-case analysis remains necessary, however, in order to ascertain the degree of influence each entity effectively has in determining the purposes and means of the processing.

Example: Call center. Company X outsources its client support to Company Y who provides a call center in order to help Company X’s clients with their questions. The client support service means that Company Y has to have access to Company X client data bases. Company Y can only access data in order to provide the support that Company X has procured and they cannot process data for any other purposes than the ones stated by Company X. Company Y is to be seen as a personal data processor and a processor agreement must be concluded between Company X and Y.[4]

Providing sufficient guarantees

The controller can only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject.[5]

According to Recital 81 GDPR, the assessment shall be done "in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of [the] Regulation, including for the security of processing". More precisely, the controller will have to take into “serious consideration” different elements, including the processor’s privacy policies, terms of service, records of processing activities, management and information security policies, reports of external audits as well as recognised international certifications (e.g. ISO 27000 series). The controller should also assess the processor’s expert knowledge and technical expertise of security measures and data breaches, reliability and resources. The reputation of the processor in the market may also be a relevant factor.[6]

Example: xxx

The obligation to use only processors “providing sufficient guarantees” is a continuous one which does not end with the conclusion of the contract. Rather, the controller should verify the processor’s guarantees through audits and inspections at appropriate intervals.[7]

(2) Engagement of other processors by the processor

Article 28(2) GDPR prevents the processor from engaging with further processors without prior specific or general written authorisation of the controller, because the latter remains responsible for the processing operations. In cases of general written authorisations, processors should provide controllers with a list of sub-processors, details as to the type of processing, its relation to specific products or services, and the relevant data protection safeguards that will be in place when processing is undertaken by specific sub-processors.[8]

Example: XXX

If the processor decides to change any of the above (e.g. replace a sub-processor), the controller must be informed so that it can object to such change. According to the EDPS, the opportunity to object must be "meaningful".[9] This implies that a ‘take-it -or-leave-it’ scenario, "whereby the sole and exclusive remedy of the controller is to terminate its contract with the processor, would not be a meaningful remedy". This is because, "in the EDPS’ view, if terminating one service means having to terminate an entire suite of services and if a controller does not consider that a viable business option, that would result in the controller having no choice but to accept a sub-processor".[10] For specific written authorisations, the EDPB has suggested that these could refer to a specific sub-processor for a specific processing activity and at a specific time and if a processor’s request for a specific authorisation is not answered to within the set time-frame, it should be held as denied. Therefore, according to the EDPB the difference between general and specific authorisations has to do with the interpretation of the controller’s non-response to a request.[11] With regard to "a general authorisation, the controller’s silence is to be interpreted as an authorisation. In contrast, with regard to a specific authorisation, the controller’s silence is to be interpreted as a refusal to provide authorisation for the specific sub-processor(s) for which the processor is requesting authorisation".[12]

Example: XXX

In both cases, the EDPB has suggested that the relevant communication procedures and timeframes must be included in the controller-processor contract, and that such timeframe must be reasonable depending on the type and complexity of processing.[13] Article 28(4) GDPR contains further obligations of the processor engaging another processor (see below).

(3) Contract or other legal binding act

The relationship between controller and processor must be defined either by a written contract or another legal act under Union or Member State law (processing between the parties "shall be governed by a contract or other legal act"). This is necessary to ensure a transparent allocation of responsibilities and liabilities both internally (between controllers and processors) and externally (towards data subjects and regulators).[14]

Contract or other legal act

Paragraph 3 requires that any shared processing activity between a controller and a processor be based on a contract or another "legal act" derived from European or Member State law.[15] In the absence of at least one of these, the activity will be unlawful and a source of liability. The absence of a clear definition of the relationship between the controller and the processor may raise the problem of the lack of legal basis on which every processing should be based,[16] e.g. in respect of the communication of data between the controller and the alleged processor.[17]

The contract or legal act must be in writing, including in electronic form (Article 28(9) GDPR). Therefore, relying solely on non-written agreements, no matter how detailed or efficient they may be, cannot be considered sufficient to fulfill the requirements outlined in Article 28 of the GDPR. To avoid any potential difficulties in demonstrating the actual enforceability of a contract or other legal act, it is recommended to ensure that the necessary validity elements are included in the legal document (i.e. signatures), in accordance with the applicable laws, such as contract law.[18]

EDPB: The presence (or absence) of a written arrangement, however, is not decisive for the existence of a controller processor relationship. Where there is reason to believe that the contract does not correspond with reality in terms of actual control, on the basis of a factual analysis of the circumstances surrounding the relationship between the parties and the processing of personal data being carried out, the agreement may be set aside. Conversely, a controller-processor relationship might still be held to exist in absence of a written processing agreement. This would, however, imply a violation of Article 28(3) GDPR.[19]

The contract and the legal act must be binding on the processor[20] and must contain a set of minimal elements,[21] namely: (1) the subject-matter,[22] (2) the duration of the processing,[23] (3) the nature[24] and (4) purpose of the processing[25], (5) the type of personal data,[26] (6) the categories of the data subjects[27] and (7) the obligations and rights of the controller.[28] If the legal act "does not include all the minimum required content, it must be supplemented with a contract or another legal act that includes the missing elements."[29] The EDPB clarifies that controllers and processors are not required to use contracts based on SCCs, and there is no preference for them over individual contracts. Both options are valid for complying with data protection laws, as long as they meet the requirements stated in Article 28(3), depending on the specific situation. The parties, can therefore "negotiate their own contract including all the compulsory elements or to rely, in whole or in part, on standard contractual clauses in relation to obligations under Article 28."[30]

EDPB: If the parties wish to take advantage of standard contractual clauses, the data protection clauses of their agreement must be the same as those of the SCCs. The SCCs will often leave some blank spaces to be filled in or options to be selected by the parties. Also, as also mentioned above, the SCCs will generally be embedded in a larger agreement describing the object of the contract, its financial conditions, and other agreed clauses: it will be possible for the parties to add additional clauses (e.g. applicable law and jurisdiction) as long as they do not contradict, directly or indirectly, the SCCs48 and they do not undermine the protection afforded by the GDPR and EU or Member State data protection laws.[31]

Finally, the fact that the service provider prepares the contract and its detailed terms of business, rather than the controller, does not pose a problem in itself. It is not sufficient grounds to consider the service provider as a controller.

EDPB: The power imbalance in contractual negotiations between a small data controller and larger service providers should not be used as an excuse for accepting clauses and contract terms that do not comply with data protection laws. The controller cannot avoid its data protection obligations on this basis. The controller must carefully evaluate the terms and, by freely accepting them and utilizing the service, it assumes full responsibility for GDPR compliance.[32]

The second part of Article 28(3) GDPR provides a list of elements which must be specifically provided by the contract or other legal act.

(a) Documented instructions

The contract or other legal act must oblige the processor to only act on documented instructions from the controller, unless otherwise provided for by Union or Member State law. Controllers must provide its processors with instructions related to each processing activity. Such instructions can include permissible and unacceptable handling of personal data, more detailed procedures, ways of securing data, etc.[33] The contract can provide the parties with procedures and templates to communicate “documented” instructions. For these purposes, it is recommended to include a procedure and a template for giving further instructions in an annex to the contract or other legal act. However, instructions can be given by different means (e.g. e-mail) as long as it is possible to keep records of them.[34]

In general, the processor shall not go beyond what is instructed by the controller. However, this is admitted when the processor is obligated by EU law or Member State law to process or transfer personal data. In such cases, the processor must inform the controller about such requirements before commencing the processing.[35] This provision emphasizes the importance of carefully negotiating and drafting data processing agreements. Both parties may need to seek legal advice to determine the existence of any such legal requirement. Regardless, any transfer or disclosure can only occur if authorized by Union law, including in accordance with Article 48 of the GDPR.[36]

International transfers

The provision clarifies that the rules on documented instructions also apply to transfers in the sense of Articles 44 et seqq. GDPR. The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR. If the instructions by the controller "do not allow for transfers or disclosures to third countries, the processor will not be allowed to assign the processing to a sub-processor in a third country, nor will he be allowed to have the data processed in one of his non-EU divisions".[37]

Example: XXX

(b) Confidentiality

The contract should explicitly state that the processor is responsible for ensuring that anyone authorized to process the personal data is bound by confidentiality. This can be achieved through a specific contractual agreement or existing statutory obligations. The term "persons authorized to process the personal data" encompasses both employees and temporary workers. In general, the processor should only grant access to the personal data to employees who require it to perform the tasks for which the processor was engaged by the controller.

(c) Measures required by Article 32 GDPR

Article 28(3)(c) of the GDPR requires that the contract or other binding agreement impose on the processor the obligation to implement the security measures mandated by Article 32 of the GDPR.[38] The EDPB emphasizes that a mere reference to the obligations stemming from Article 32 is not sufficient. The contract or binding act must, at the very least, (i) specify the security measures to be implemented, (ii) introduce an obligation on the processor not to modify these measures without prior authorization from the controller, and (iii) require the parties to continuously review the measures to ensure their adequacy and effectiveness. This level of specificity is necessary to appropriately assess risks. Furthermore, it is the only way for the controller to fulfill its accountability obligations under Articles 5(2) and 24 of the GDPR.[39]

(d) Engaging a sub-processor

As explained above, processors should obtain prior specific or general authorisation to use sub-processors or to change arrangements with existing sub-processors. If the processor engages another processor, they must establish a contract that imposes the same data protection obligations as those imposed on the original processor. Alternatively, these obligations can be imposed through another legal act based on Union or Member State law. This requirement also encompasses the obligation specified in Article 28(3)(h) to facilitate and cooperate with audits conducted by the controller or an auditor appointed by the controller. The processor bears liability to the controller for ensuring that the other processor complies with data protection obligations. The contract or legal act must further regulate these aspects.[40]

(e) Assisting with the controller's obligation to respond to data subject's requests

The controller remains responsible for overall compliance with the GDPR and, specifically, for handling data subject rights requests under Articles 12-22 GDPR, regardless of the involvement of processors.[41] However, processors do exist: they hold, store, disclose, use and in general process personal data on their systems. For example, consider a request for erasure under Article 17, where some of the data is physically located with the processor. In order to fulfill its obligations, the controller requires the cooperation of the processor.

This is why, under Article 28(3)(e) GDPR, the processors shall nevertheless be obliged to assist the controller. Typically, this consists of promptly forwarding any requests received from data subjects. However, in some circumstances the processor will be given more specific, technical duties, especially when it is in the position of extracting and managing the personal data. The contract should list the technical and organisational measures adopted by the processor to enable the assistance. It is crucial to bear in mind that, although "the practical management of individual requests can be outsourced to the processor, the controller bears the responsibility for complying with such requests. Therefore, the assessment as to whether requests by data subjects are admissible and/or the requirements set by the GDPR are met should be performed by the controller, either on a case-by-case basis or through clear instructions provided to the processor in the contract before the start of the processing."[42]

This is not an absolute obligation. The legislature mandates the processor to take every measure to assist the controller, but also clarifies that this should be done "taking into account the nature of the processing" and "insofar as this is possible." An example is when an external service company is engaged to handle the destruction of files and data carriers. Due to its inherent nature, the processor can only assist controllers in fulfilling deletion requests.[43]

(f) Assisting with the controller's obligations under Articles 32 to 36 GDPR

Under Article 28(3)(f) GDPR, the agreement between the parties or other legal act provides further details as to how the processor should assist the controller in complying with Articles 32 - 36 GDPR. However, the contract or other legal document should not merely repeat what is prescribed by the provision. On the contrary, specific details are needed regarding the specific measures that the processor must adopt to assist the controller. The selection of such measures should be made "taking into account the nature of processing and the information available to the processor." In other words, the controller must provide the processor with the necessary elements to understand the processing and provide effective assistance.[44]

Example: XXX

The reference to Article 32 GDPR indicates that the processor shall provide assistance on how to best implement effective security measures. While this "may overlap, to some extent, with the requirement that the processor itself adopts adequate security measures [Article 28(1) GDPR], where the processing operations of the processor fall within the scope of the GDPR, they remain two distinct obligations, since one refers to the processor’s own measures and the other refers to the controller’s."[45]

When a data breach occurs (Articles 33-34 GDPR), the processor shall notify the controller without undue delay. The EDPB recommends “to include in the contract a specific timeframe (e.g. number of hours) by which the processor should notify the controller, as well as the point of contact for such notifications, the modality and the minimum content expected by the controller.” Moreover, the Board notes that “The contractual arrangement between the controller and the processor may also include an authorisation and a requirement for the processor to directly notify a data breach in accordance with Articles 33 and 34, but the legal responsibility for the notification remains with the controller”.[46]

"Where necessary and upon request", the processor must provide assistance in case the controller carries out a Data Protection Impact Assessment (Article 35 GDPR) or if a prior consultation before a DPA is needed under Article 36 GDPR. As a result, "the controller is the one that must take the initiative to perform the data protection impact assessment, not the processor."[47]

(g) Deleting or returning personal data

The purpose of the contractual terms is to guarantee that personal data receives suitable protection after the conclusion of the "provision of services related to the processing." Consequently, it is the responsibility of the controller to determine the actions the processor should take concerning the personal data. The controller can decide whether personal data (including existing copies) shall be deleted or returned after the end of the provision of the processor's services.[48]

If the controller chooses that the personal data be deleted, the processor should ensure that the deletion is performed in a secure manner in compliance with Article 32 GDPR. The processor should confirm to the controller that the deletion has been completed in keeping with an agreed timescale and manner.[49]

EDPB: The controller can decide at the beginning whether personal data shall be deleted or returned by specifying it in the contract, through a written communication to be timely sent to the processor. The contract or other legal act should reflect the possibility for the data controller to change the choice made before the end of the provision of services related to the processing. The contract should specify the process for providing such instructions.[50]

The deletion or return of data may be avoided if so required by the laws of the Member States or the European Union. Lastly, it is rightly noted that the processor may retain the data if necessary for the exercise or defense of legal claims. In such cases, however, the processor acts as an independent controller and must therefore operate on the basis of a valid legal basis.

(h) Provision of compliance demonstrating information and contribution to audits

According to general principles, it is the responsibility of the controller to demonstrate that the processing is carried out in compliance with the GDPR. Article 28(3)(h) GDPR enables such a task in case processors are used. According to Article 28(3)(h) GDPR, the processor should provide all information necessary to demonstrate compliance with all the aforementioned obligations to the controller, and allow for as well as contribute to audits, including inspections, conducted by the controller or another auditor.[51]

The contract should specify the frequency and method of information exchange between the processor and the controller, ensuring that the controller is fully informed about the processing details necessary to demonstrate compliance with the obligations outlined in Article 28 of the GDPR. For example, relevant parts of the processor's records of processing activities can be shared with the controller. The processor should provide comprehensive information on how the processing activities will be carried out on behalf of the controller. This information should encompass details about system functionality, security measures, compliance with data retention requirements, data location, data transfers, data access, recipients of data, use of sub-processors, and other relevant aspects.[52]

The contract must also specify the methods through which the processor assists in conducting audits and inspections by the controller or its appointed auditor. These activities enable the controller to verify the processor's compliance with the obligations stated in this Article. The parties should engage in a cooperative manner and evaluate whether and when audits should be conducted at the premises of the processor. They should also determine the appropriate type of audit or inspection (remote, on-site, or alternative methods) based on the specific circumstances, considering security considerations. The controller has the ultimate decision-making authority in this regard.[53] After the inspection results are obtained, the controller should have the ability to request the processor to implement necessary measures, such as addressing identified deficiencies and gaps.[54]

It is advisable to record the results of the inspections carried out by the person responsible so that, if necessary, proof of these can be provided to the supervisory authorities at a later date.

Obligation to notify the controller in case of infringing instructions

The final sentence of Article 28(3) GDPR requires the processor to immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. After the alert is sent, the controller shall verify whether it is grounded. If the controller confirms the instructions, the processor may carry them out. Nonetheless, this principle does not apply if the controller explicitly demands actions that clearly violate the law or seriously infringe upon personal rights. In such instances, the processor has the right to refuse to carry out the data processing requested by the controller.[55]

EDPB: The EDPB recommends the parties to negotiate and agree in the contract the consequences of the notification of an infringing instruction sent by the processor and in case of inaction from the controller in this context. One example would be to insert a clause on the termination of the contract if the controller persists with an unlawful instruction. Another example would be a clause on the possibility for the processor to suspend the implementation of the affected instruction until the controller confirms, amends or withdraws its instruction.[56]

(4) Sub-processing

While Article 28(2) GDPR specifies the conditions under which the processor may engage other processors, Article 28(4) GDPR contains the legal consequences of subcontracting. The first sentence obliges the (original) processor to conclude a contract or otherwise rely on another legal act with the sub-processor that contains the same obligations as the one concluded with the controller and the processor. Therefore, the sub-processor should also provide sufficient guarantees that it implemented appropriate technical and organisational measures. The EDPB clarified that “this includes the obligation under Article 28(3)(h) to allow for and contribute to audits by the controller or another auditor mandated by the controller”.[57] The second sentence lays out that the (original) processor is liable to the controller for breaches by the sub-processor. The involvement of multiple data processors does not result in a complication of legal protection and liability in this regard.[58]

(5) Codes of conduct

Article 28(5) GDPR gives the processor the option of demonstrating sufficient guarantees through adherence to an approved code of conduct (Article 40 GDPR) or an approved certification mechanism (Article 42 GDPR). Whether this adherence is real and has been demonstrated must be decided in each case, taking into account the specific processing, the code of conduct and/or the certification procedure.[59] Moreover, it should be pointed out that adherence to such systems is only a “element” by which to demonstrate sufficient guarantees.. Thus, an overall assessment of the controller based on all the information and evidence available to them is still required (cf. Recital 81 sentence 2 GDPR).[60]

(6) to (8) Standard contractual clauses

Article 28(6) GDPR introduces the possibility to base the contract or other legal act in whole or in part on standard contractual clauses. This option has the potential to create simple and recognised contractual clauses, especially for largely standardised processes and processing such as cloud, hosting and infrastructure services or also software-as-a-service offerings, which creates a balanced and data protection-friendly framework for controllers, processors, as well as data subjects.[61] According to this provision, the use of standard contractual clauses can also be considered in connection with an officially recognised certification granted to the controller or processor pursuant to Articles 42 and 43 GDPR.[62]

There are two ways in which standard contractual clauses can be established. On the one hand, the Commission may lay them down in accordance with the examination procedure referred to in Article 93(2) GDPR (Article 28(7) GDPR). On the other hand, they can also be adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 63 GDPR (Article 28(8) GDPR). The Commission has made use of its power under Article 28(7) GDPR and published standard contractual clauses for the first time with the implementing decision dated 4 June 2021.[63] Previously, standard contractual clauses were published in the "EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism".[64]

(9) Form requirements

Article 28(9) GDPR states that the contract or the other legal act shall be in writing and clarifies that the electronic form fulfils this requirement.

(10) Consequences in case of an excess of the processor

The processor is not entitled to determine the purposes and means of the processing. If it nevertheless takes over the processing, it is deemed a controller with regard to this processing pursuant to Article 28(10) GDPR. This provision governs cases where the processor unlawfully exceeds its powers because the decision-making power lies with the controller.[65]  Any liability under Articles 82, 83 and 84 remains unaffected. The processor loses its privileged status with regard to liability, and is subject to all the obligations of a controller set out in the Regulation.[66]

Decisions

→ You can find all related decisions in Category:Article 28 GDPR

References

  1. However, the processor is not an employee or someone under the controller's direct authority (Article 29 GDPR). In fact, "the controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, allowing the processor to choose the most suitable technical and organizational means." See, EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), pp. 25-26 (available here).
  2. Instructions are considered "lawful" as long as they fall within the scope of Article 28 GDPR. In other words, the controller cannot lawfully instruct the processor to carry out processing for its own purposes, as this could lead to potential contractual liability.
  3. An example can shed some light: "A taxi service offers an online platform which allows companies to book a taxi to transport employees or guests to and from the airport. When booking a taxi, Company ABC specifies the name of the employee that should be picked up from the airport so the driver can confirm the employee’s identity at the moment of pick-up. In this case, the taxi service processes personal data of the employee as part of its service to Company ABC, but the processing as such is not the target of the service. The taxi service has designed the online booking platform as part of developing its own business activity to provide transportation services, without any instructions from Company ABC. The taxi service also independently determines the categories of data it collects and how long it retains. The taxi service therefore acts as a controller in its own right, notwithstanding the fact that the processing takes place following a request for service from Company ABC." See, EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 27 (available here).
  4. Example: General IT support. Company Z hires an IT service provider to perform general support on its IT systems which include a vast amount of personal data. The access to personal data is not the main object of the support service but it is inevitable that the IT service provider systematically has access to personal data when performing the service. Company Z therefore concludes that the IT service provider - being a separate company and inevitably being required to process personal data even though this is not the main objective of the service – is to be regarded as a processor. A processor agreement is therefore concluded with the IT service provider. Example: IT-consultant fixing a software bug. Company ABC hires an IT-specialist from another company to fix a bug in a software that is being used by the company. The IT-consultant is not hired to process personal data, and Company ABC determines that any access to personal data will be purely incidental and therefore very limited in practice. ABC therefore concludes that the IT-specialist is not a processor (nor a controller in its own right) and that Company ABC will take appropriate measures according to Article 32 of the GDPR in order to prevent the IT-consultant from processing personal data in an unauthorised manner. From EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 27 (available here).
  5. The language used is almost identical to that of Article 25(1) GDPR, last sentence. The connection seems clear. In that case, the controller is dealing with its own measures. In this, with the measures the processor must take to ensure the same result.
  6. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 31 (available here).
  7. See also Article 28(3)h GDPR.
  8. Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 28 GDPR, p. 131 (Oxford University Press 2020).
  9. EDPS, ‘EDPS Public Paper on Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services’, 2 July 2020, margin number 71 (available here).
  10. Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 28 GDPR, p. 131 (Oxford University Press 2020).
  11. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 43 (available here).
  12. Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 28 GDPR, p. 132 (Oxford University Press 2020)
  13. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 43 (available here).
  14. Millard, Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 28 GDPR, p. 606 (Oxford University Press 2020).
  15. The Regulation refers to “other legal act”. This includes EU and national law (primary or secondary) or other legal instrument. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 32 (available here).
  16. The Regulation establishes a clear obligation to enter into a contract, "where no other relevant legal act is in force, the absence thereof is an infringement of the GDPR. Both the controller and processor are responsible for ensuring that there is a contract or other legal act to govern the processing." Subject to the provisions of Article 83 of the GDPR, the competent supervisory authority will be able to direct an administrative fine against both the controller and the processor, taking into account the circumstances of each individual case. Contracts that have been entered into before the date of application of the GDPR should have been updated in light of Article 28(3). The absence of such update, in order to bring a previously existing contract in line with the requirements of the GDPR, constitutes an infringement of Article 28(3). See, EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 32 (available here).
  17. It is generally accepted that processing in the controller-processor relationship is privileged. This notably means that no legal basis under Article 6 GDPR is required for the sharing of personal data between the two parties. This does not weaken the standard of data protection because the "reduced" material legal requirements are compensated for by technical and organisational measures. This view is supported by the fact that the processor is bound by the controller’s instructions. In addition, Hartung also makes a systematic argument based on the GDPR’s different obligations for processors and controllers. If Article 28 GDPR did not intend any privilege, the rules of Article 28 GDPR, and in particular of Article 28(10) GDPR, would be superfluous as everything could be regulated via the general GDPR rules. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 13, 15-16 (C.H. Beck 2020, 3rd Edition). Ultimately, this is historically justified by the fact that the privilege already existed under the Directive 95/46/EC as already affirmed by the WP29: "controller and processor and their staff are (…) considered as the ‘inner circle of data processing’ and are not covered by special provisions on third parties." WP29, ‘Opinion 1/2010 on the concepts of "controller" and "processor"’, 00264/10/EN WP 169, 16 February 2010, p. 6 (available here).
  18. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 31 (available here).
  19. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 32 (available here).
  20. According to the EDPB, the contract or the other legal act under Union or Member State law "must be binding on the processor with regard to the controller, i.e. it must establish obligations on the processor that are binding as a matter of EU or Member State law." Also it must set out the obligations of the controller. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 32 (available here).
  21. If the legal act does not include all the minimum required content, it must be supplemented with a contract or another legal act that includes the missing elements. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 32 (available here).
  22. For example, consider the video surveillance footage capturing individuals as they enter and exit a highly secure facility. Although the processing topic is broad, it is important to provide sufficient details to clarify the primary focus of the processing.
  23. The specific timeframe for the processing, as well as the criteria used to determine it, should be explicitly stated. For example, it could be referenced to the duration outlined in the processing agreement.
  24. The description should include a comprehensive list of the operations conducted during the processing, such as "filming," "recording," "archiving of images," and so on, as well as the purpose of the processing, such as "detecting unlawful entry." This level of detail is crucial to enable external parties, such as supervisory authorities, to fully grasp the nature of the processing and the associated risks entrusted to the processor. With regard to the nature of processing, the processor may be given some leeway as to the means of processing. Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 20 (C.H. Beck 2018, 2nd Edition) with reference to WP29, ‘Opinion 1/2010 on the concepts of "controller" and "processor"’, 00264/10/EN WP 169, 16 February 2010, p. 17 (available here).
  25. The description of the purpose has to be concrete and conclusive. This is necessary to define the roles and the controller's responsibilities. The processor must not have any leeway in this respect. See, Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 65 (C.H. Beck 2020, 3rd Edition); Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 20 (C.H. Beck 2018, 2nd Edition).
  26. The level of specification should be as detailed as possible, providing explicit examples like "video images of individuals as they enter and leave the facility." Merely referring to it as "personal data pursuant to Article 4(1) GDPR" or "special categories of personal data pursuant to Article 9" would not be sufficient. If special categories of data are involved, the contract or legal act should specify the exact types of data concerned, such as "information regarding health records" or "information indicating the data subject's trade union membership."
  27. For instance: “visitors”, “employees”, "delivery services" etc.
  28. To determine the rights and obligations of the controller, the following aspects, for example, must be taken into account. According to the GDPR, only the controller decides on deletion, correction and access. In particular, the controller is also responsible for checking the general permissibility and lawfulness of processing and must issue sufficient instructions. In particular, this includes the duty of the controller to appear as such and to create transparency for the data subject. See, Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 66 (C.H. Beck 2020, 3rd Edition).
  29. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 32 (available here).
  30. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 32 (available here). Scholars confirm such view: without prejudice to "any individual contract between them, the controller and processor can also manage the requirements of Article 28(3) and (4) via standard contractual clauses that the European Commission has issued or a supervisory authority has adopted under Article 28(8)". See, Millard, Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 28 GDPR, p. 606 (Oxford University Press 2020).
  31. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 33 (available here).
  32. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 34 (available here).
  33. It is however possible for the processor to suggest elements that, if accepted by the controller, become part of the instructions given.
  34. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 36 (available here).
  35. However, if the same (EU or Member State) law prohibits the processor from informing the controller due to "important grounds of public interest," there is no obligation to provide this information.
  36. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 36 (available here).
  37. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 36 (available here).
  38. For more detailed information, please refer to the commentary under Article 32 GDPR.
  39. The level of instructions provided by the controller to the processor as to the measures to be implemented will depend on the specific circumstances. In some cases, the controller may provide a clear and detailed description of the security measures to be implemented. In other cases, the controller may describe the minimum security objectives to be achieved, while requesting the processor to propose implementation of specific security measures. In any event, the controller must provide the processor with a description of the processing activities and security objectives (based on the controller’s risk assessment), as well as approve the measures proposed by the processor. This could be included in an annex to the contract. The controller exercises its decision-making power over the main features of the security measures, be it by explicitly listing the measures or by approving those proposed by the processor. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 37 (available here).
  40. See Paragraph 4 on “Sub-Processing” below.
  41. The deadlines set out by Chapter III cannot be extended by the controller based on the fact that the necessary information must be provided by the processor. The same goes for the other requirements set forth in Article 12 GDPR.
  42. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 37 (available here).
  43. Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 28 GDPR, margin number 70 (C.H. Beck 2019).
  44. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 38 (available here).
  45. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 38 (available here).
  46. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 39 (available here).
  47. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 39 (available here).
  48. The wording "end of the provision of services" refers to the termination of the relationship between the parties, regardless of the specific reason that led to such an outcome. Consequently, it could be the case that the contract has reached its specified term, or that the purpose of the processing has been achieved, or even that the processing is deemed unlawful by a decision of the competent authority.
  49. In these exact terms: EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 40 (available here).
  50. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 40 (available here).
  51. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 78 (C.H. Beck 2020, 3rd Edition).
  52. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 40 (available here).
  53. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 41 (available here).
  54. Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR), p. 14 (available here).
  55. Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 28 GDPR, margin number 83 (C.H. Beck 2019).
  56. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 41 (available here).
  57. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 40 (available here).
  58. VPetri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 28 GDPR, margin number 85 (C.H. Beck 2019).
  59. Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 31 (C.H. Beck 2018, 2nd Edition).
  60. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 59 (C.H. Beck 2020, 3rd Edition).
  61. Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 31 (C.H. Beck 2018, 2nd Edition).
  62. Klug, in Gola, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 16 (C.H. Beck 2018, 2nd Edition).
  63. Commission, Implementing Decision (EU) 2021/915 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, 4 June 2021 (available here).
  64. Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism (available here)
  65. Spoerr, in Wolff, Brink, BeckOK Datenschutzrecht, Article 28 GDPR, margin number 104 (Beck 2021, 39th Edition).
  66. Spoerr, in Wolff, Brink, BeckOK Datenschutzrecht, Article 28 GDPR, margin number 104 (Beck 2021, 39th Edition).