Article 28 GDPR

← Article 28 - Processor →
Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) takes all measures required pursuant to Article 32;

(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).

8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Relevant Recitals

Commentary

Complex processing often requires the outsourcing of certain activities to specialised service providers with whom personal data are then shared. If such service provider processes personal data on behalf of the controller, it acts as a processor (as defined in Article 4(8) GDPR). Even if the controller engages a processor, it continues to determine the purposes and means of the processing.

Article 28 GDPR addresses this scenario and establishes the legal framework for such cooperation, thereby ensuring the protection of the data subjects' rights as well as general GDPR compliance. This provision is intended to ensure that the engagement of processors does not lower the level of data protection compared to a situation where the controller processes personal data itself.^[1]

Therefore, Article 28(1) GDPR stipulates that controllers should only select appropriate processors that can provide sufficient guarantees to comply with the GDPR. Article 28(2) and (4) GDPR make sure that controllers keep control over any further processors engaged by processors by demanding a prior written authorisation by the controller for the engagement of another processor and by requiring that the agreement between a processor and its sub-processor has the same obligations as the agreement between the controller and its processor.

Article 28(3) GDPR provides for specific requirements that the contract or other legal act between a controller and a processor (generally called "processing agreement") has to fulfill and what specific clauses have to be included in such document.

Article 28(5) GDPR provides for ways that a controller can assess whether a processor provides for sufficient guarantees to comply to the GDPR (i.e. adherence to codes of conduct or an approved certification mechanism).

Article 28(6) to (8) GDPR deals with the possibility of the Commission and supervisory authorities adopting standard contractual clauses which can be used by controllers and processors.

Article 28(9) GDPR imposes specific form requirements on the contract or other legal act mentioned in paragraphs 3 and 4.

Finally, Article 28(10) GDPR determines that a processor acting outside of the agreement with the controller, by determining the purposes and means of processing, has to be considered a controller itself.

EDPB Guidelines: Relevant Guidelines for this Article are: EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1) (available here); EDPB, 'Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)', 7 October 2024, (available here).

(1) Processor

Article 28 GDPR governs the relationship between a controller and a processor. Article 28(1) GDPR restricts the extend to which a controller can choose a processor by obliging the controller to use only processors who provide "sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subject".

Therefore, a controller can only work with processors who can provide those guarantees and is responsible for assessing the sufficiency of those guarantees. The controller should be able to prove the performance of such an assessment.^[2]

The controller must be able to demonstrate the required technical knowledge, expertise and resources to provide adequate guarantees.^[3]

The controller shall use only

The controller cannot engage processors who are unable to guarantee, with regard to their assigned portion of the processing, compliance with the GDPR and the protection of the data subject's rights. This prohibition is perfectly understandable since the aim of this provision is to ensure a the level of and compliance with data protection regardless of who specifically performs the processing activity.^[4] Conversely, the controller could reduce the guarantees provided by the GDPR simply by outsourcing parts of the processing that it prefers not to invest in. It follows that, before engaging any processor, the controller must carefully check that these requirements are met (see below).

This provision also indicates that the controller must have some discretion in the question whether it wants to engage a processor or not. If it the controller is forced to use a specific processor (e.g. in the context of a corporate group), it is questionable if the apparent processor is not rather a controller.^[5]

Processor(s)

The concept of a "processor" is defined in Article 4(8) GDPR. For more information on the concept of processor. see commentary on Article 4(8) GDPR.

When considering whether or not to entrust the processing of personal data to a particular processor, controllers should carefully assess whether the processor in question allows them to exercise a sufficient degree of control, taking into account the nature, scope, context and purposes of processing as well as the potential risks for data subjects. A case-by-case analysis remains necessary, however, in order to ascertain the degree of influence each entity effectively has in determining the purposes and means of the processing.^[6]

For example: Company X outsources its client support to Company Y who provides a call center in order to help Company X’s clients with their questions. The client support service means that Company Y has to have access to Company X client data bases. Company Y can only access data in order to provide the support that Company X has procured and they cannot process data for any other purposes than the ones stated by Company X. Company Y is to be seen as a personal data processor and a processor agreement must be concluded between Company X and Y.

Providing sufficient guarantees

The controller can only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject.^[7] The language used is almost identical to that in the last sentence of Article 25(1) GDPR. The connection seems clear; Article 25 GDPR applies to the controller's own measures, while this provision deals with the processor's measures.

According to Recital 81 GDPR, the assessment shall be done "in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of [the] Regulation, including for the security of processing". More precisely, the controller will have to take different elements into “serious consideration”, including the processor’s privacy policies, terms of service, records of processing activities, management and information security policies, reports of external audits, as well as recognised international certifications (e.g. ISO 27000 series). The controller should also assess the processor’s expert knowledge and technical expertise of security measures and data breaches, reliability and resources. The reputation of the processor in the market may also be a relevant factor.^[8]

The controller should also consider the risk connected to the processing activity when assessing the guarantees provided by a potential processor.^[9] Additionally, the controller should document the specific guarantees and technical and organisational measures implemented by a processor in order to be able to comply with its obligations arising under the GDPR (e.g. Articles 5(2), 24, 35, and 36 GDPR). Compliance with those Article will often depend on having such information about the processor.^[10]

As stipulated in Article 28(5) GDPR, the adherence of a processor to an approved code of conduct (Article 40 GDPR) or an approved certification mechanism (Article 42 GDPR) could be used as an element to demonstrate sufficient guarantees (see commentary to Article 28(5) below). However, such adherence only has an indicative effect.^[11]

The obligation to use only processors “providing sufficient guarantees” is a continuous one which does not end with the conclusion of the contract. Rather, the controller should verify the processor’s guarantees through audits and inspections at appropriate intervals.^[12] However, this provision does not mandate when or how audits should be conducted.^[13]

In a situation where the controller find out that a processor does not comply with the provided guarantees, or that the processor cannot provide those guarantees any longer, the controller has to stop the cooperation with the processor.^[14]

For example: After a data breach affects a processor, it becomes apparent to the controller that the processor did not implement the guaranteed data protection safeguards. The controller thus has to make sure that the processor ceases the processing of all personal data on their behalf.

(2) Engagement of other processors by the processor

If a processor engages another processor, the other processor is usually referred to as a "sub-processor".^[15] A sub-processor can also engage other sub-processors, creating additional links to a chain of sub-processors. In cases where a controller engages numerous processors who, in turn, also engage multiple sub-processors, rather complicated structures can arise. Therefore, it is important to note that the controller at the beginning of the chain remains the one determining the purposes and means of the processing.^[16]

The situation of a sub-processor is very similar to the position of the processor directly engaged by the controller, since Article 28(4) GDPR demands that sub-processors have basically the same data protection obligations as the processor above them in the processing chain.^[17]

In order to appropriately comply with its role as controller, the controller should have available information relating to the identity of all processors and sub-processors, as well as information on what processing is entrusted to each (sub-)processors.^[18] It is not, however, necessary that a controller can directly audit all of its sub-processors; it is considered sufficient that a processor can audit a sub-processor (and has to do so if required).^[19]

Only with controller's written authorisation

Article 28(2) GDPR stipulates that a processor shall not engage another processor (sub-processor) without the prior specific or general written authorisation of the controller. Therefore, this provision prevents a processor from engaging with further processors without the controller's authorisation. This is essential since the latter remains responsible for the processing operations. Therefore, no personal data can be entrusted with a sub-processor without such prior authorisation.^[20]

The EDPB highlights that, in order to comply with the accountability principle (Article 5(2) GDPR), the controller should be provided not only with the sub-processors name, but also with a list of intended sub-processors, including their location, details of the scope of their activity and applicable safeguards that have been implemented.^[21]

The contract or other legal act between the controller and the sub-processor should specify if a specific or general written authorisation by the controller is needed in order for the processor to engage a sub-processor (see below regarding the two types).^[22]

"In cases where the controller decides to accept certain sub-processors at the time of the signature of the contract, a list of approved sub-processors should be included in the contract or an annex thereto. The list should then be kept up to date, in accordance with the general or specific authorisation given by the controller."

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 154.

It is noteworthy that the standard contractual clauses provided by the Commission (see commentary on Article 28(7) GDPR) provide for different contractual options regarding the controller's prior authorisation. But regardless of whether the contract or other legal act draws from the standard contractual clauses, the parties should specify the requirements for the written authorisation, the deadline for an approval or objection, and consequences of such an objection.^[23]

Specific authorisation

According to the EDPB, the controller's prior authorisation can be considered specific, when it refers to a specific sub-processor for a specific processing activity and a specific time.^[24]

Any change (e.g. addition of a sub-processor) requires the specific authorisation by the controller before it can take effect. If a processor’s request for a specific authorisation is not answered to within a set time-frame (which should be agreed upon in the contract), it should be held as denied.^[25]

For example: A controller contractually agrees with its processor that the processor must not subcontract any of its processing operations performed on behalf of the controller, without the controller's prior specific written authorisation. Further, they negotiate that, in case the processor wants to engage a sub-processor, it has to submit a request with specific information about the sub-processor (allowing the controller to make an informed assessment). If the controller does not confirm the request in a specified period, the processor cannot engage the sub-processor.

General authorisation

A controller can also give a general authorisation for the use of sub-processors. In this case, processors should provide controllers with a list of sub-processors, details as to the type of processing, its relation to specific products or services, and the relevant data protection safeguards that will be in place when processing is undertaken by specific sub-processors.^[26] For this case, Article 28(2) GDPR imposes an explicit obligation of the processors to inform the controller in due time of any intended addition or replacement of sub-processor(s) in order to provide the controller with the opportunity to object (see below).

For example: The controller and its processor contractually agree that the processor has the controller's general authorisation for the engagement of sub-processors from an agreed list attached to the processing agreement. The agreement further obliges the processor to inform the controller a specified time in advance and in writing of any intended changes to the list. The processor is also obliged to provide the controller with all information necessary to enable it to make an informed assessment. If the controller does not object to the proposed change, the change is deemed accepted.

According to the EDPB, the main difference between general and specific authorisations has to do with the interpretation of the controller’s non-response to a request.^[27] Whereas in a general authorisation scenario the controller’s silence can be interpreted as an authorisation, in a specific authorisation scenario, the controller’s silence has to be interpreted as a refusal.^[28] In both cases, the EDPB has suggested that the relevant communication procedures and timeframes must be included in the controller-processor contract, and that such timeframe must be reasonable depending on the type and complexity of processing.^[29] Article 28(4) GDPR contains further obligations of the processor engaging another processor (see below).

"[I]n the general authorisation situation, the controller’s failure to object within the set timeframe can be interpreted as authorisation."

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 157.

Information of any intended changes

In the case the controller gives the processor a general written authorisation to engage a sub-processor, Article 28(2) GDPR obliges the processor to inform the controller of any intended changes concerning the addition or replacement of other processors. This gives the controller the opportunity to object to such changes. In other words, if the processor decides to change any of the above (e.g. replace a sub-processor) after receiving a general authorisation by the controller, the processor must inform the controller so that it can object to such change. As described above, the controller's failure to respond to such information can be understood as an acceptance by the processor.

According to the EDPS, this opportunity to object must be "meaningful".^[30] This implies that a ‘take-it -or-leave-it’ scenario, "whereby the sole and exclusive remedy of the controller is to terminate its contract with the processor, would not be a meaningful remedy". This is because, "in the EDPS’ view, if terminating one service means having to terminate an entire suite of services and if a controller does not consider that a viable business option, that would result in the controller having no choice but to accept a sub-processor".^[31]

(3) Contract or other legal binding act

The relationship between controller and processor must be defined either by a written contract or another legal act under Union or Member State law (processing between the parties "shall be governed by a contract or other legal act"). This is necessary to ensure the transparent allocation of responsibilities and liabilities both internally (between controllers and processors) and externally (towards data subjects and regulators).^[32]

Contract or other legal act

Article 28(3) GDPR requires that any shared processing activity between a controller and a processor is based on a contract or another "legal act" derived from European or Member State law.^[33] In the absence of at least one of these, the activity will be unlawful and a source of liability.

"Since the Regulation establishes a clear obligation to enter into a written contract, where no other relevant legal act is in force, the absence thereof is an infringement of the GDPR. Both the controller and processor are responsible for ensuring that there is a contract or other legal act to govern the processing. Subject to the provisions of Article 83 of the GDPR, the competent supervisory authority will be able to direct an administrative fine against both the controller and the processor, taking into account the circumstances of each individual case. Contracts that have been entered into before the date of application of the GDPR should have been updated in light of Article 28(3). The absence of such update, in order to bring a previously existing contract in line with the requirements of the GDPR, constitutes an infringement of Article 28(3).

A written contract pursuant to Article 28(3) GDPR may be embedded in a broader contract, such as a service level agreement. In order to facilitate the demonstration of compliance with the GDPR, the EDPB recommends that the elements of the contract that seek to give effect to Article 28 GDPR be clearly identified as such in one place (for example in an annex)."

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 103 footnotes omitted.

The requirement that engaging a processor for the processing of personal data is subject to a contract or other legal act also makes it necessary that all actors agree on their respective roles in a processing activity. The absence of a clear definition of the relationship between the controller and the processor would be very problematic and would e.g. lead to a lack of legal basis for the processing, especially regarding the transfer of personal data from the controller to the alleged processor and vice versa.

The contract or legal act must be in writing, including in electronic form (see form requirements in Article 28(9) GDPR).

However, the presence (or absence) of a written arrangement is not decisive in establishing the existence of a controller-processor relationship. The obligation to have a contract or other legal act in place is a consequence of the existence of a controller-processor relationship, and not the cause of such. Therefore, the contract should reflect the factual circumstances. This means that where an processing agreement does not correspond with reality in terms of actual control, the agreement should be set aside. Conversely, a controller-processor relationship might still exist, even in absence of a written processing agreement or other legal act. This would, however, imply a violation of Article 28(3) GDPR.^[34]

"In most cases, there will be a contract, but the Regulation also refers to “other legal act”, such as a national law (primary or secondary) or other legal instrument. If the legal act does not include all the minimum required content, it must be supplemented with a contract or another legal act that includes the missing elements."

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 102.

Finally, the fact that the service provider prepares the contract and its detailed terms of business, rather than the controller, does not pose a problem in itself. It is not sufficient grounds to consider the service provider as a controller.

"the imbalance in the contractual power of a small data controller with respect to big service providers should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law, nor can it discharge the controller from its data protection obligations. The controller must evaluate the terms and in so far as it freely accepts them and makes use of the service, it has also accepted full responsibility for compliance with the GDPR. Any proposed modification, by a processor, of data processing agreements included in standard terms and conditions should be directly notified to and approved by the controller, bearing in mind the degree of leeway that the processor enjoys with respect to non-essential elements of the means (see paragraphs 40-41 above). The mere publication of these modifications on the processor’s website is not compliant with Article 28."

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 110 (available here).

binding on the processor

This provision mandates that the contract or other legal act must be binding on the processor with regards to the controller. This meas that the contract or other legal act must establish obligations on the processor that are binding as a matter of EU or Member State law. However, such a contract or legal act will also set out obligations of the controller.^[35]

Content of the contract or other legal act

Article 28(3) GDPR lists a number of minimum requirements that have to be included in the contract or other legal act that governs the engagement of a processor. However, the contract or other legal act should not merely restate the respective provisions; rather, it should be more specific and include information and provisions on how the requirements will be met and which level of security is required. The negotiation of a processing agreement should therefore be considered a chance to specify details of the processing activity.^[36]

For the content of the contract, the actors can also draw from standard contractual clauses provided by the commission or supervisory authorities (see commentary on Article 28(6)-8) GDPR below).

sets out the subject-matter

Naturally, the subject-matter of the processing is a broad concept. Nevertheless, it should make the main object of the processing sufficiently clear.^[37]

For example: A processing agreement declares the capturing and storing of video surveillance footage regarding individuals as they enter and exit a highly secure facility as the subject-matter of a processing agreement between the controller and its processor.

duration of the processing

The duration of the processing refers to the period of time of the processing. Its sufficient to mention the specific criteria used to determine the criteria. Regularly, the duration of the processing agreement will at the same time be the duration of the processing.^[37]

nature and purpose of the processing

The nature of the processing refers to the type of operations performed as part of the processing (e.g. calling data subject, collecting information from a specific source, storing personal data).

The purpose should describe what should be archived with the processing activity (for more information on the purpose of the processing see commentary on Article 5(1)(b) GDPR).^[37]

This information should be sufficiently detailed so that it is clear for the parties what the expected processing activity entails. The level of detail should also make the nature and purpose of the processing clear to any data subject or the supervisory authority.^[38]

type of personal data

The contract or other legal act has to list the type of personal data involved in the processing. In other words it should list what kind of data will be processed.

" It would not be adequate merely to specify that it is 'personal data pursuant to Article 4(1) GDPR' or 'special categories of personal data pursuant to Article 9'"

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 114.

categories of data subjects

The contract or other legal act also has to specify who's personal data will be processed, i.e. the categories of data subjects. This point should also be reasonably detailed (e.g. customers or employees).

obligations and rights of the controller

Specific rights of the controller are mentioned in the list of specific provisions Article 28(3) GDPR mandates to be part of the contract or other legal act governing the processing. Obligations of the controller could include the controller’s obligation to provide the processor with the data mentioned in the contract or other legal act or to provide and document any instruction bearing on the processing of data by the processor, in order to ensure compliance with the obligations set out in the GDPR.^[37]

To determine the rights and obligations of the controller, the following aspects, for example, must be taken into account. According to the GDPR, only the controller decides on deletion, correction and access. In particular, the controller is also responsible for checking the general permissibility and lawfulness of processing and must issue sufficient instructions. In particular, this includes the duty of the controller to appear as such and to create transparency for the data subject.^[39]

The second part of Article 28(3) GDPR provides a list of elements which must be specifically provided by the contract or other legal act. Therefore, the contract or other legal act must include the following clauses:

(a) Documented instructions

The contract or other legal act must oblige the processor to act only on documented instructions from the controller, unless otherwise provided for by Union or Member State law. Controllers must provide their processors with instructions related to each processing activity. Such instructions can include permissible and unacceptable handling of personal data, more detailed procedures, ways of securing data, etc.^[40] The contract can provide the parties with procedures and templates to communicate “documented” instructions. For these purposes, it is recommended to include a procedure and a template for giving further instructions in an annex to the contract or other legal act. However, instructions can be given by different means (e.g. e-mail) as long as it is possible to keep records of them.^[41]

In general, the processor shall not go beyond what is instructed by the controller. However, this is admitted when the processor is obligated by EU law or Member State law to process or transfer personal data. In such cases, the processor must inform the controller about such requirements before commencing the processing. However, if the same (EU or Member State) law prohibits the processor from informing the controller due to "important grounds of public interest," there is no obligation to provide this information. This provision emphasises the importance of carefully negotiating and drafting data processing agreements. Both parties may need to seek legal advice to determine the existence of any such legal requirement. Regardless, any transfer or disclosure can only occur if authorized by Union law, including in accordance with Article 48 GDPR.^[42]

International transfers

The provision clarifies that the rules on documented instructions also apply to transfers in the sense of Articles 44 et seqq. GDPR. The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR. If the instructions by the controller "do not allow for transfers or disclosures to third countries, the processor will not be allowed to assign the processing to a sub-processor in a third country, nor will he be allowed to have the data processed in one of his non-EU divisions".^[43]

(b) Confidentiality

The contract should explicitly state that the processor is responsible for ensuring that anyone authorised to process the personal data is bound by confidentiality. This can be achieved through a specific contractual agreement or existing statutory obligations. The term "persons authorized to process the personal data" encompasses both employees and temporary workers. In general, the processor should only grant access to the personal data to employees who require it to perform the tasks for which the processor was engaged by the controller.^[44]

(c) Measures required by Article 32 GDPR

Article 28(3)(c) of the GDPR requires that the contract or other binding agreement impose on the processor the obligation to implement the security measures mandated by Article 32 GDPR.^[45] The EDPB emphasises that a mere reference to the obligations stemming from Article 32 GDPR is not sufficient. The contract or binding act must, at the very least, (i) specify the security measures to be implemented, (ii) introduce an obligation on the processor not to modify these measures without prior authorization from the controller, and (iii) require the parties to continuously review the measures to ensure their adequacy and effectiveness. This level of specificity is necessary to appropriately assess risks. Furthermore, it is the only way for the controller to fulfill its accountability obligations under Articles 5(2) and 24 of the GDPR.^[46]

"The level of instructions provided by the controller to the processor as to the measures to be implemented will depend on the specific circumstances. In some cases, the controller may provide a clear and detailed description of the security measures to be implemented. In other cases, the controller may describe the minimum security objectives to be achieved, while requesting the processor to propose implementation of specific security measures. In any event, the controller must provide the processor with a description of the processing activities and security objectives (based on the controller’s risk assessment), as well as approve the measures proposed by the processor. This could be included in an annex to the contract. The controller exercises its decision-making power over the main features of the security measures, be it by explicitly listing the measures or by approving those proposed by the processor."

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 127 (available here).

(d) Engaging a sub-processor

As explained above, processors should obtain prior specific or general authorisation to use sub-processors or to change arrangements with existing sub-processors. If the processor engages another processor, they must establish a contract that imposes the same data protection obligations as those imposed on the original processor. Alternatively, these obligations can be imposed through another legal act based on Union or Member State law. This requirement also encompasses the obligation specified in Article 28(3)(h) to facilitate and cooperate with audits conducted by the controller or an auditor appointed by the controller. The processor bears liability to the controller for ensuring that the other processor complies with data protection obligations. The contract or legal act must further regulate these aspects.^[47] See also Commentary on Article 28(2) and (4) GDPR.

(e) Assisting with the controller's obligation to respond to data subject's requests

The controller remains responsible for overall compliance with the GDPR and, specifically, for handling data subject rights requests under Articles 12-22 GDPR, regardless of the involvement of processors. The same goes for the other requirements set forth in Article 12 GDPR. For example, the deadlines set out in Article 12 GDPR cannot be extended by the controller based on the fact that the necessary information must be provided by the processor. However, processors do exist: they hold, store, disclose, & process personal data on their systems. For example, consider a request for erasure under Article 17, where some of the data is physically located with the processor. In order to fulfill its obligations, the controller requires the cooperation of the processor.

This is why, under Article 28(3)(e) GDPR, the processors shall nevertheless be obliged to assist the controller. Typically, this consists of promptly forwarding any requests received from data subjects. However, in some circumstances the processor will be given more specific, technical duties, especially when it is in the position of extracting and managing the personal data. The contract should list the technical and organisational measures adopted by the processor to enable the assistance. It is crucial to bear in mind that, although "the practical management of individual requests can be outsourced to the processor, the controller bears the responsibility for complying with such requests. Therefore, the assessment as to whether requests by data subjects are admissible and/or the requirements set by the GDPR are met should be performed by the controller, either on a case-by-case basis or through clear instructions provided to the processor in the contract before the start of the processing."^[48]

This is not an absolute obligation. The legislature mandates the processor to take every measure to assist the controller, but also clarifies that this should be done "taking into account the nature of the processing" and "insofar as this is possible." An example is when an external service company is engaged to handle the destruction of files and data carriers. Due to its inherent nature, the processor can only assist controllers in fulfilling deletion requests.^[49]

(f) Assisting with the controller's obligations under Articles 32 to 36 GDPR

Under Article 28(3)(f) GDPR, the agreement between the parties or other legal act provides further details as to how the processor should assist the controller in complying with Articles 32 - 36 GDPR. However, the contract or other legal document should not merely repeat what is prescribed by the provision. On the contrary, specific details are needed regarding the specific measures that the processor must adopt to assist the controller. The selection of such measures should be take into account the nature of processing and the information available to the processor. In other words, the controller must provide the processor with the necessary elements to understand the processing and provide effective assistance.^[50]

"the processor has, first, a duty to assist the controller in meeting the obligation to adopt adequate technical and organisational measures to ensure security of processing. While this may overlap, to some extent, with the requirement that the processor itself adopts adequate security measures, where the processing operations of the processor fall within the scope of the GDPR, they remain two distinct obligations, since one refers to the processor’s own measures and the other refers to the controller’s.

Secondly, the processor must assist the controller in meeting the obligation to notify personal data breaches to the supervisory authority and to data subjects. The processor must notify the controller whenever it discovers a personal data breach affecting the processor’s or a sub-processor’s facilities / IT systems and help the controller in obtaining the information that need to be stated in the report to the supervisory authority."

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 135 et seq.

When a data breach occurs (Articles 33-34 GDPR), the processor shall notify the controller without undue delay. The EDPB recommends to include in the contract a specific timeframe (e.g. number of hours) by which the processor should notify the controller, as well as a contact point for such notifications, the modality and the minimum content expected by the controller. Moreover, the EDPB notes that the contractual arrangement between the controller and the processor may also include an authorisation and a requirement for the processor to directly notify a data breach in accordance with Articles 33 and 34, but the legal responsibility for the notification remains with the controller.^[51]

"Where necessary and upon request", the processor must provide assistance in case the controller carries out a Data Protection Impact Assessment (Article 35 GDPR) or if a prior consultation before a DPA is needed under Article 36 GDPR. As a result, "the controller is the one that must take the initiative to perform the data protection impact assessment, not the processor."^[52]

(g) Deleting or returning personal data

The purpose of the contractual terms is to guarantee that personal data receives suitable protection after the conclusion of the "provision of services related to the processing." Consequently, it is the responsibility of the controller to determine the actions the processor should take concerning the personal data. The controller can decide whether personal data (including existing copies) shall be deleted or returned after the end of the provision of the processor's services. The wording "end of the provision of services" refers to the termination of the relationship between the parties, regardless of the specific reason that led to such an outcome. Consequently, it could be the case that the contract has reached its specified term, or that the purpose of the processing has been achieved, or even that the processing is deemed unlawful by a decision of the competent authority.

If the controller chooses that the personal data be deleted, the processor should ensure that the deletion is performed in a secure manner in compliance with Article 32 GDPR. The processor should confirm to the controller that the deletion has been completed in accordance with an agreed timescale and manner.^[53]

"The controller can decide at the beginning whether personal data shall be deleted or returned by specifying it in the contract, through a written communication to be timely sent to the processor. The contract or other legal act should reflect the possibility for the data controller to change the choice made before the end of the provision of services related to the processing. The contract should specify the process for providing such instructions"

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 140.

The deletion or return of data may be avoided if so required by the laws of the Member States or the European Union. Lastly, it is rightly noted that the processor may retain the data if necessary for the exercise or defense of legal claims. In such cases, however, the processor acts as an independent controller and must therefore operate on the basis of a valid legal basis.^[54]

(h) Provision of compliance demonstrating information and contribution to audits

According to general principles, it is the responsibility of the controller to demonstrate that the processing is carried out in compliance with the GDPR. Article 28(3)(h) GDPR enables such a task in case processors are used. According to Article 28(3)(h) GDPR, the processor should provide all information necessary to demonstrate compliance with all the aforementioned obligations to the controller, and allow for as well as contribute to audits, including inspections, conducted by the controller or another auditor.^[55]

The contract should specify the frequency and method of information exchange between the processor and the controller, ensuring that the controller is fully informed about the processing details necessary to demonstrate compliance with the obligations outlined in Article 28 of the GDPR. For example, relevant parts of the processor's records of processing activities can be shared with the controller. The processor should provide comprehensive information on how the processing activities will be carried out on behalf of the controller. This information should encompass details about system functionality, security measures, compliance with data retention requirements, data location, data transfers, data access, recipients of data, use of sub-processors, and other relevant aspects.^[56]

The contract must also specify the methods through which the processor assists in conducting audits and inspections by the controller or its appointed auditor. These activities enable the controller to verify the processor's compliance with the obligations stated in this Article. The parties should engage in a cooperative manner and evaluate whether and when audits should be conducted at the premises of the processor. They should also determine the appropriate type of audit or inspection (remote, on-site, or alternative methods) based on the specific circumstances, considering security considerations. The controller has the ultimate decision-making authority in this regard. After the inspection results are obtained, the controller should have the ability to request the processor to implement necessary measures, such as addressing identified deficiencies and gaps.^[57]

It is advisable to record the results of the inspections carried out by the person responsible so that, if necessary, proof of these can be provided to the supervisory authorities at a later date.

Obligation to notify the controller in case of infringing instructions

The final sentence of Article 28(3) GDPR requires the processor to immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. After the alert is sent, the controller shall verify whether it is grounded. If the controller confirms the instructions, the processor may carry them out. Nonetheless, this principle does not apply if the controller explicitly demands actions that clearly violate the law or seriously infringe upon personal rights. In such instances, the processor has the right to refuse to carry out the data processing requested by the controller.^[58]

"Once informed that one of its instructions may be in breach of data protection law, the controller will have to assess the situation and determine whether the instruction actually violates data protection law.

The EDPB recommends the parties to negotiate and agree in the contract the consequences of the notification of an infringing instruction sent by the processor and in case of inaction from the controller in this context. One example would be to insert a clause on the termination of the contract if the controller persists with an unlawful instruction. Another example would be a clause on the possibility for the processor to suspend the implementation of the affected instruction until the controller confirms, amends or withdraws its instruction."

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 148 et seq.

(4) Sub-processing

While Article 28(2) GDPR specifies the conditions under which the processor may engage other processors, Article 28(4) GDPR contains legal consequences of subcontracting.

Firstly, this provision stipulates that where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in Article 28(3) shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law. In particular, this applies to the obligation to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.

In other words, the (original) processor must conclude a contract or otherwise rely on another legal act with the sub-processor that contains the same obligations as the one concluded between the controller and the processor. Therefore, the sub-processor also has to provide sufficient guarantees that it implemented appropriate technical and organisational measures. The EDPB notes that this "includes the obligation under Article 28(3)(h) to allow for and contribute to audits by the controller or another auditor mandated by the controller”.^[59]

"[W]hen a processor intends to employ an (authorised) sub-processor, it must enter into a contract with it that imposes the same obligations as those imposed on the first processor by the controller or the obligations must be imposed by another legal act under EU or Member State law. The whole chain of processing activities needs to be regulated by written agreements. Imposing the “same” obligations should be construed in a functional rather than in a formal way: it is not necessary for the contract to include exactly the same words as those used in the contract between the controller and the processor, but it should ensure that the obligations in substance are the same. This also means that if the processor entrusts the sub-processor with a specific part of the processing, to which some of the obligations cannot apply, such obligations should not be included “by default” in the contract with the sub-processor, as this would only generate uncertainty. As an example, as to assistance with data breach related obligations, notification of a data breach by a sub-processor directly to the controller could be done if all three agree. However, in the case of such direct notification the processor should be informed and get a copy of the notification."

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 160.

Second, Article 28(4) GDPR stipulates that in case the sub-processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations. This means that the (original) processor is liable to the controller for breaches by the sub-processor. The involvement of multiple data processors does not result in a complication of legal protection and liability in this regard.^[60]

(5) Codes of conduct

As stipulated in Article 28(1) GDPR, a controller has to make sure that a processor provides "sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subject." According to Article 28(4) GDPR the same is true if a processor wants to engage another processor (see commentary on the respective provisions above).

Article 28(5) GDPR gives the processor the option of demonstrating those sufficient guarantees through adherence to an approved code of conduct (Article 40 GDPR) or an approved certification mechanism (Article 42 GDPR). Whether this adherence is real and has been demonstrated must be decided in each case, taking into account the specific processing, the code of conduct and/or the certification procedure.^[61] Moreover, it should be pointed out that adherence to such systems is only an “element” by which to demonstrate sufficient guarantees.^[62] Thus, an overall assessment of the controller based on all the information and evidence available to them is still required (see Recital 81 sentence 2 GDPR).^[63] Especially if any indications of the processor's unreliability become apparent, the controller has to investigate further and might have to refrain from any cooperation or even terminate an existent agreement.^[64]

It would be advisable to contractually oblige the processor to inform the controller about any change regarding the codes of conduct or the certification (e.g. an amendment of the codes of conduct or a re-certification).^[65]

This provision could be especially helpful in situations where it is otherwise difficult for a controller to asses a potential processor and when the processor provides very similar services for a large number of controllers, e.g. in the area of cloud computing.^[66]

(6) Standard contractual clauses as alternative to an individual contract

Article 28(6) GDPR introduces the possibility to base the contract or other legal act in whole or in part on standard contractual clauses. This standard contractual clauses can either be laid down by the Commission (see Article 28(7) GDPR) or adopted by a supervisory authority (Article 28(8) GDPR). Of course, this does not exclude the possibility to negotiate an individual contract between a controller and a processor or the possibility to use standard contractual clauses only for parts of the requirements under Article 28(3) and (4) GDPR.^[67] Whichever option is chosen by the controller and processor, the content required in Article 28(3) and (4) GDPR has to be included in the agreement.^[68] Whenever the parties deviate from standard contractual clauses, they should make sure that the requirements in Article 28(3) and (4) GDPR are fulfilled.^[69] Also other legal acts (besides a contract) can (in whole or in part) rely on standard contractual clauses.^[70]

This option has the potential to create simple and recognised contractual clauses, especially for largely standardised processes and processing such as cloud, hosting and infrastructure services or also software-as-a-service offerings, which creates a balanced and data protection-friendly framework for controllers, processors, as well as data subjects.^[71]

According to this provision, the use of standard contractual clauses can also be considered in connection with an officially recognised certification granted to the controller or processor pursuant to Articles 42 and 43 GDPR.^[72]

Common mistake: The standard contractual clauses mentioned in this provision should not be confused with standard data protection clauses adopted by the Commission under Article 46(2)(a) GDPR.

(7) Standard Contractual Clauses by the Commission

There are two ways in which standard contractual clauses can be established. First, according to Article 28(7) GDPR, the Commission can lay them down in accordance with the examination procedure referred to in Article 93(2) GDPR (see commentary on Article 93(2) GDPR).^[73]

And indeed, the Commission has made use of its power under Article 28(7) GDPR and published standard contractual clauses for the first time with the implementing decision dated 4 June 2021.^[74] As mentioned above, this standard contractual clauses, governing the cooperation of a controller and a processor inside the Union, must not be mistaken with the standard data protection clauses under Article 46(2)(a) GDPR which are also adopted by the Commission but which govern data streams outside of the Union.^[75] However, it is plausible that the cooperation between a controller in the Union and a processor in a country for with an adequacy decision under Article 45 GDPR was adopted, could also be based on the standard contractual clauses under this provision.^[76]

It is reminded that there is no obligation to use the standard contractual clauses provided by the Commission (or adopted by a SA). However, if controller and processor choose to use standard contractual clauses they should make sure to add the details of the specific situation and not just blindly use the template provided.^[77]

(8) Standard Contractual Clauses by a SA

In accordance with Article 28(8) GDPR, standard contractual clauses can also be adopted by a SA in accordance with the consistency mechanism referred to in Article 63 GDPR. Such standard contractual clauses should be published in the "EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism".^[78]

Regarding the consistency mechanism mentioned in this provision, Article 64(1)(a) GDPR requires a SA to communicate to the EDPB when it aims to adopt standard contractual clauses. In this case, the EDPB has to issue an opinion (see commentary on Article 64(1)(a) GDPR).^[79]

It should be noted that any templates provided by SAs under any predecessor provision of the GDPR cannot be considered valid any longer.^[80]

(9) Form requirements

Article 28(9) GDPR states that the contract (or the other legal act) under Article 28(3) and (4) GDPR has to be in writing. It therefore stipulates a specific form requirement for a processing agreement between a controller and a processor. The provision also clarifies that the 'electronic form' fulfils this requirement without further explaining what can be considered an electronic form. It can be assumed that the electronic form does not require a qualified electronic signature; rather any document (constituting a contract or other legal act) in electronic form will suffice.^[81]

Therefore, any agreement between a controller and a processor in a non-written form cannot be considered to meet this requirement. The EDPB further recommends that the signatures of the parties are included in the legal act as well, even though this is not a requirement stipulated in Article 28(9) GDPR.^[82]

(10) Consequences in case of an excess of the processor

The processor is not entitled to determine the purposes and means of the processing. This is up to the controller; in fact, this determination is what defines a controller (see Article 4(7) GDPR).

Article 28(10) GDPR prohibits processors from exceeding the scope of the processing agreement and processing data beyond the scope of the processing agreement and, therefore, determine the purposes and means of the processing. In this case a processor is in violation with the GDPR. At the same time, this provision makes clear that the processor should be considered to be a controller for that (unlawful) processing.

"Acting 'on behalf of' also means that the processor may not carry out processing for its own purpose(s). As provided in Article 28(10), a processor infringes the GDPR by going beyond the controller’s instructions and starting to determine its own purposes and means of processing. The processor will be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions"

EDPB, 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR', 7 July 2021 (Version 2.1), margin number 81.

This provision governs cases where the processor unlawfully exceeds its powers because the power to determine aspects of the processing (i.e. its purpose and means) lies with the controller.^[83]  Less clear are cases in which the controller delegates decision-making powers to the processor and the processor acts within this broadened scope. This would still lead to the processor acting as a controller but would - in itself - not be a case of Article 28(10) GDPR.^[84]

This provision stipulates that any liability under Articles 82, 83 and 84 remains unaffected. But the processor loses its privileged status with regard to liability, and is subject to all the obligations of a controller set out in the GDPR.^[85]

Decisions

→ You can find all related decisions in Category:Article 28 GDPR

References