Article 28 GDPR
|← Article 28 - Processor →|
- 1 Legal Text
- 2 Relevant Recitals
- 3 Commentary
- 4 Overview
- 5 Article 28 (1)
- 6 Article 28 (2)
- 6.1 Contract
- 6.1.1 Documented instructions
- 6.1.2 Unless required to do so by Union or Member State law
- 6.1.3 Authorised persons
- 6.1.4 Security measures
- 6.1.5 Sub-processing
- 6.1.6 Cooperation in addressing rights exercise requests
- 6.1.7 Further assistance (Articles 32 - 36)
- 6.1.8 Deletion of data
- 6.1.9 Demonstrate compliance and allow for audits
- 6.2 Unlawful instructions
- 6.1 Contract
- 7 Decisions
- 8 References
1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
- (a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- (c) takes all measures required pursuant to Article 32;
- (d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
- (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down inCHAPTER III;
- (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
- (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.
You can help us fill this section!
Complex processing often requires outsourcing of a part of the activities to specialised service providers with whom personal data are then shared. Under the common data protection framework, such disclosure is acceptable provided that both controller and third parties – in this case, processors – put in place appropriate safeguards to protect the personal data and ensure general compliance with the Regulation.
Article 28 (1)
On behalf of the controller
The processor does not determine the purposes and means of the processing and entirely depends on the controller’s instructions. If the processor violates the instruction or processes the data for any other different purpose, then it ceases to qualify as processor.
The controller may use “only processors providing sufficient guarantees to implement appropriate technical and organisational measures”. Processors should also meet the requirements of the GDPR as a whole and proactively ensure the protection of data subject rights (Art. 28 (1) GDPR).
The controller is responsible for assessing and selecting the appropriate processor. In doing so, the controller must take into “serious consideration” different elements, including processor’s privacy policies, terms of service, records of processing activities, management and information security policies, reports of external audits, recognised international certifications, like ISO 27000series. 
The controller should also assess the processor’s expert knowledge and technical expertise (with regard to security measures and data breaches), reliability and resources. The reputation of the processor in the market may also be a relevant factor for consideration. 
According to the EDPB, the obligation to use only processors “providing sufficient guarantees” is a continuous obligation which does not end with the conclusion of the contract. Rather, the controller should, at appropriate intervals, verify the processor’s guarantees through audits and inspections where appropriate.
Article 28 (2)
A controller and a processor who enter into a data protection agreement are obliged to sign a written contract (including in electronic form, Article 28 (9) GDPR) to document and specify the scope of the processor’s action, powers and obligations of the parties.
Such a contract shall set out at least “the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller” (Article 28 (3) GDPR).
The controller and processor can also manage the requirements of Article 28(3) and (4) via standard contractual clauses that the European Commission has issued or a supervisory authority has adopted under Article 28(8) GDPR. 
Article 28 (3)(a) GDPR requires the processor to treat personal data only on documented instructions from the controller.
According to the EDPB, the instructions shall refer to each processing activity and can include “permissible and unacceptable handling of personal data, more detailed procedures, ways of securing data, etc. The processor shall not go beyond what is instructed by the controller”. 
The contract can provide the parties with procedures and templates to communicate “documented” instructions. Instructions, however, can be given by different means (e.g. e-mail), as long as it is possible to keep records of them.
The rule “no action without instruction” also applies to transfers of personal data to a third country or international organisation, as expressly provided for by Article 28 (3)(a) GDPR. The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR.
Unless required to do so by Union or Member State law
A processor can also process data without, against or above controller’s instructions if required to do so by EU law or other applicable Member State law. For this reason, it seems important to carefully negotiate data processing agreements, also with regard to the existence of any such legal requirement.
Persons authorised to process the personal data are employees and temporary workers involved in the processing activities. Under Article 28 (3)(b) GDPR, authorised persons are committed to strict confidentiality. This may occur either via a specific contractual agreement or statutory obligations already in place.
The contract should list the technical and organisational measures adopted by the processor to ensure the security of the processing.
The controller can interact with the processor while choosing the security measures. However, the level of such interaction depends on the specific circumstances of the processing. These measures, which the parties initially agree on, cannot be changed without the controller’s approval. 
In accordance with Article 31(1)(d) GDPR, the contract should also describe which type of process is in place to assess appropriateness and effectiveness of the existing security measures.
The data processing agreement must regulate the case of sub-processing which takes place when a processor engages another entity to carry out a part of the operations.
In principle, such choice is not possible unless the controller gives a prior written authorization. The authorization can be general or specific (Article 28(2) GDPR). In case of general authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
If the processor obtains the controller’s authorization, then Article 28(4) GDPR becomes relevant. It follows that, where a processor engages another processor for carrying out specific activities, the same data protection obligations as set out in the “main” data processing agreement (between controller and processor) shall be imposed on that other processor by way of (another) contract (or other legal act). 
The EDPB also clarified that “This includes the obligation under Article28(3)(h) to allow for and contribute to audits by the controller or another auditor mandated by the controller”. 
Cooperation in addressing rights exercise requests
Dealing with data subjects rights requests is a precise duty of the controller under Article 12 – 22 GDPR. However, under Article 28(3)(e) GDPR, processors are not exempted from providing the controller with adequate assistance in that regard.
Typically, the assistance consists in promptly forwarding any request received from data subjects. However, in some circumstances, the processor will be given more specific, technical duties, especially when it is in the position of extracting and managing the personal data.
Further assistance (Articles 32 - 36)
Under Article 28(3)(f) GDPR, the agreement between the parties provides further details as to how the processor assist the controller in ensuring compliance with Articles 32 to 36.
Reference to Article 32 means that the processor shall provide assistance on how to best implement effective security measures. This provision seems to create a sort of consultancy role on the processor who not only has to respect Article 32 in its own structure, but also has to provide assistance to improve the controller’s systems, where necessary.
In case of data breach (Article 33 - 34 GDPR), the processor shall notify the controller without undue delay.  The EDPB also recommends “that there is a specific timeframe of notification (e.g. number of hours) and the point of contact for such notifications be provided in the contract. The contracts should finally specify how the processor shall notify the controller in case of a breach”. 
The processor must provide assistance in case the controller carries out a Data Protection Impact Assessment (Article 35) or if a prior consultation before a DPA is needed under Article 36 GDPR.
Deletion of data
The controller can decide whether personal data shall be deleted or returned by specifying it in the contract. If the controller chooses that the personal data be deleted, the processor should ensure that the deletion is performed in a secure manner, also in order to comply with Article 32 GDPR. The processor should confirm to the controller that the deletion has been completed within an agreed timescale and manner.
Demonstrate compliance and allow for audits
The controller can (and should), at appropriate intervals, verify the processor’s GDPR compliance through audits and inspections (Article 28 (3)(h) GDPR). However, in practice, it seems not clear what the real scope of such audit rights is.
In assessing the first version of the draft controller/processor clauses submitted by the Danish Authority, the EDPB showed a certain criticism towards the excessive restriction of the controller’s audit rights. In particular, the Board criticises the drafting of clause 12.3, which, in its original version, seemed to “limit this right of the data controller vis-a-vis the sub-processor (“if applicable” and “performed through the Data processor”)”.
The Board therefore requests “that the Danish SA redrafts clause 12.3 in order to be in full compliance with the GDPR. This can be done by merging clauses 12.2 and 12.3 as follows: “Procedures applicable to the data controller’s audits, including inspections of the data processor and the data sub-processor are specified in appendices C6 and C7 to the standard contractual clauses” (para 44).
The Danish Authority accepted the EDPB suggestion and, in line with such guidance, modified the wording of Appendix C7, which now seems to afford full protection of the controller’s audit rights:
“The data controller or the data controller’s representative shall [STATE TIME PERIOD] perform a physical inspection of the places, where the processing of personal data is carried out by the data processor, including physical facilities as well as systems used for and related to the processing to ascertain the data processor’s compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses. In addition to the planned inspection, the data controller may perform an inspection of the data processor when the data controller deems it required”.
Since the above-mentioned version of the Danish Standard Contractual Clauses has been approved by the EDPB, it is not unreasonable to conclude that the Board has accepted such broad interpretation of the audit rights.
According to Article28(3), the processor must immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, p. 29.
 EDPB, Guidelines 07/2020 […], p. 30.
 Rücker, D., & In Kugler, T. (2018). New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice.
 EDPB, Guidelines 07/2020 […], p. 34.
 The EDPB clarified that in “some cases, the controller may provide a clear a detailed description of the security measures to be implemented. In other cases, the controller may describe the minimum security objectives to be achieved, while requesting the process or to propose implementation of specific security measures” (EDPB, Guidelines 07/2020 […], p. 35).
 According to Rücker, D., & In Kugler, T. […], p. 227, (cit.) “To ensure lawful sub-processing, the data protection obligations and responsibilities of all actors involved must, however, be clearly allocated. Chains of (sub-)processors that would dilute or even prevent effective control and clear responsibility for processing activities, must be avoided.”
 EDPB, Guidelines 07/2020 […], p. 36.
 EDPB, Guidelines on Personal data breach notification under Regulation 2016/679, WP250rev.01, 6 February 2018, p.13-14
 EDPB, Guidelines 07/2020 […], p. 37.
 In these exact terms, EDPB, Guidelines 07/2020 […], p. 38.
 EDPB, Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DKSA, 9 July 2019
→ You can find all related decisions in Category:Article 28 GDPR