Article 28 GDPR: Difference between revisions

From GDPRhub
Line 228: Line 228:
{{Recital/81 GDPR}}
{{Recital/81 GDPR}}


==Commentary on Article 28==
==Commentary==
Complex processing often requires outsourcing of a part of the activities to specialised service providers with whom personal data are then shared. Article 28 GDPR responds to this necessity and establishes the legal framework for a cooperation with so-called processors to ensure the protection of the data subjects' rights.  
Complex processing often requires outsourcing of a part of the activities to specialised service providers with whom personal data are then shared. Article 28 GDPR responds to this necessity and establishes the legal framework for a cooperation with so-called processors to ensure the protection of the data subjects' rights.  


Line 234: Line 234:


====Processor - Processing Carried Out on Behalf of the Controller====
====Processor - Processing Carried Out on Behalf of the Controller====
Article 28(1) GDPR names the only requirement for the whole Article to apply: A processing is to carried out on behalf of a controller. This requirement is consistent with the legal definition of processor from [[Article 4 GDPR|Article 4(8) GDPR]], according to which a processor "means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".
Article 28(1) GDPR names the only requirement for the whole Article to apply: A processing is to be carried out on behalf of a controller. This requirement is consistent with the legal definition of processor from [[Article 4 GDPR|Article 4(8) GDPR]], according to which a processor "means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".


The qualification as a processor consists of positive and negative characteristics.  
The qualification as a processor consists of positive and negative characteristics.  
Line 240: Line 240:
Positively, a processor processes data "on behalf" of the controller. This especially means that they do so under instructions. For further explanations please refer to the [[Article 4 GDPR|commentary on Article 4(8) GDPR]].
Positively, a processor processes data "on behalf" of the controller. This especially means that they do so under instructions. For further explanations please refer to the [[Article 4 GDPR|commentary on Article 4(8) GDPR]].


The processing person cannot be considered a processor if they meet the requirements of being a (joint) controller in the sense of [[Article 4 GDPR|Article 4(7) GDPR]] and [[Article 26 GDPR|Article 26(1)(1) GDPR]] (negative requirement). In particular, a processing person is not a processor if they (co-)decide on the processing purposes. Please refer to the respective commentaries for further explanations ([[Article 4 GDPR|Article 4(7) and (8) GDPR]], [[Article 26 GDPR|Article 26(1)(1) GDPR]]).
Negatively, the processing person cannot be considered a processor if they meet the requirements of being a (joint) controller in the sense of [[Article 4 GDPR|Article 4(7) GDPR]] and [[Article 26 GDPR|Article 26(1) GDPR]]. In particular, a processing person is not a processor if they (co-)decide on the processing purposes. Please refer to the respective commentaries for further explanations ([[Article 4 GDPR|Article 4(7) and (8) GDPR]], [[Article 26 GDPR|Article 26(1)(1) GDPR]]).


====Appropriate Technical and Organisational Measures====
====Appropriate Technical and Organisational Measures====
Line 256: Line 256:
According to the prevailing opinion, processing in the controller-processor-relationship is privileged. This means, for example, that no legal basis under Article 6 GDPR is required. In principle, a controller can use a processor if it can demonstrate a corresponding legal basis for its own processing. However, this is not accompanied by a lowering of data protection. Rather, the substantive requirements remain the same. The "reduced" material-legal requirements are compensated for by technical-organisational measures.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 13, 15 (Beck 2020, 3rd ed.) (accessed 25 August 2021).</ref> This view is supported by the fact that the processor is bound by instructions.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 16 (Beck 2020, 3rd ed.) (accessed 25 August 2021).</ref> In addition, [[Article 4 GDPR|Article 4(10) GDPR]] makes clear that the processor is not a third party, but the processor may be a recipient under [[Article 4 GDPR|Article 4(9) GDPR]]. This makes it clear that there is no need for a separate legal basis for the transfer to a processor.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 17 (Beck 2020, 3rd ed.) (accessed 25 August 2021).</ref> ''Hartung'' also makes a systematic argument. The GDPR holds different obligations for processors and controllers. If Article 28 GDPR did not intend any privileging, this differentiated system, the rules of Article 28 GDPR, in particular Article 28(10) GDPR would be superfluous, as everything could be regulated via the general GDPR rules.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 18 (Beck 2020, 3rd ed.) (accessed 25 August 2021).</ref> Ultimately, this is also historically justified by the fact that the privilege also already existed under the [https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=CELEX%3A31995L0046 Directive 95/46/EC]. This was derived in particular from an opinion of the WP29, which read as follows: "''Controller and processor and their staff are therefore considered as the ‘inner circle of data processing’ and are not covered by special provisions on third parties.''"<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 18 (Beck 2020, 3rd ed.) (accessed 25 August 2021) with reference to WP29, Opinion 1/2010 on the concepts of "controller" and "processor", 16 February 2010, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf p. 6].</ref>
According to the prevailing opinion, processing in the controller-processor-relationship is privileged. This means, for example, that no legal basis under Article 6 GDPR is required. In principle, a controller can use a processor if it can demonstrate a corresponding legal basis for its own processing. However, this is not accompanied by a lowering of data protection. Rather, the substantive requirements remain the same. The "reduced" material-legal requirements are compensated for by technical-organisational measures.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 13, 15 (Beck 2020, 3rd ed.) (accessed 25 August 2021).</ref> This view is supported by the fact that the processor is bound by instructions.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 16 (Beck 2020, 3rd ed.) (accessed 25 August 2021).</ref> In addition, [[Article 4 GDPR|Article 4(10) GDPR]] makes clear that the processor is not a third party, but the processor may be a recipient under [[Article 4 GDPR|Article 4(9) GDPR]]. This makes it clear that there is no need for a separate legal basis for the transfer to a processor.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 17 (Beck 2020, 3rd ed.) (accessed 25 August 2021).</ref> ''Hartung'' also makes a systematic argument. The GDPR holds different obligations for processors and controllers. If Article 28 GDPR did not intend any privileging, this differentiated system, the rules of Article 28 GDPR, in particular Article 28(10) GDPR would be superfluous, as everything could be regulated via the general GDPR rules.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 18 (Beck 2020, 3rd ed.) (accessed 25 August 2021).</ref> Ultimately, this is also historically justified by the fact that the privilege also already existed under the [https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=CELEX%3A31995L0046 Directive 95/46/EC]. This was derived in particular from an opinion of the WP29, which read as follows: "''Controller and processor and their staff are therefore considered as the ‘inner circle of data processing’ and are not covered by special provisions on third parties.''"<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 18 (Beck 2020, 3rd ed.) (accessed 25 August 2021) with reference to WP29, Opinion 1/2010 on the concepts of "controller" and "processor", 16 February 2010, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf p. 6].</ref>


Other attempts at explanation, according to which [[Article 6 GDPR|Article 6(1)(f) GDPR]] is regularly fulfilled in the controller-processor- relationship, Article 28 GDPR represents an independent legal basis in addition to [[Article 6 GDPR]] or according to which a united processing operation exists when a processor is used, which does not require a separate justification, must be rejected against this background.<ref>See only ''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 20 - 23 (Beck 2020, 3rd ed.) (accessed 25 August 2021) providing further arguments.</ref>
Other attempts at explanation, according to which [[Article 6 GDPR|Article 6(1)(f) GDPR]] is regularly fulfilled in the controller-processor-relationship, Article 28 GDPR represents an independent legal basis in addition to [[Article 6 GDPR]] or according to which a united processing operation exists when a processor is used, which does not require a separate justification, must be rejected against this background.<ref>See only ''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 20 - 23 (Beck 2020, 3rd ed.) (accessed 25 August 2021) providing further arguments.</ref>


===(2) Engagement of Other Processors by the Processor===
===(2) Engagement of Other Processors by the Processor===
Article 28(2)(1) GDPR first establishes the general rule that a processor may not engage any other processors. This ensures that the controller remains in control and that the fulfillment of its obligations under Article 28(1) GDPR also bears fruit.  
Article 28(2) GDPR first establishes the general rule that a processor may not engage any other processors. This ensures that the controller remains in control and that the fulfillment of its obligations under Article 28(1) GDPR also bears fruit.  


However, Article 28(2) GDPR allows the controller to authorise the processor to engage additional processors. The authorisation must be in advance. It can be specific or in general (Article 28(1)(1) GDPR).  
However, Article 28(2) GDPR allows the controller to authorise the processor to engage additional processors. The authorisation must be in advance. It can be specific or in general (Article 28(1) GDPR).  


Due to the risks associated with a general authorisation, especially with regard to a possible loss of control, Article 28(2)(2) GDPR provides for an information obligation on the part of the processor. If they engage or replace a processor based on a general authorisation, they are obliged to inform the controller.  
Due to the risks associated with a general authorisation, especially with regard to a possible loss of control, Article 28(2) GDPR provides for an information obligation on the part of the processor. If they engage or replace a processor based on a general authorisation, they are obliged to inform the controller.  


Furthermore, it also follows from sentence 2 that the general authorisation cannot be granted without restriction. Rather, the controller always retains the right to object to the processor's engaging or replacing decision after receiving the information.
Furthermore, it also follows from sentence 2 that the general authorisation cannot be granted without restriction. Rather, the controller always retains the right to object to the processor's engaging or replacing decision after receiving the information.
Line 296: Line 296:
Persons authorised to process the personal data are employees and temporary workers involved in the processing activities. Under Article 28 (3)(b) GDPR, authorised persons are committed to confidentiality. This may be arranged either via a specific contractual agreement or statutory obligations already in place.
Persons authorised to process the personal data are employees and temporary workers involved in the processing activities. Under Article 28 (3)(b) GDPR, authorised persons are committed to confidentiality. This may be arranged either via a specific contractual agreement or statutory obligations already in place.


=====(c) Measures Required by [[Article 32 GDPR]] =====
=====(c) Measures Required by Article 32 GDPR =====
Reference is made to the [[Article 32 GDPR|commentary on Article 32 GDPR]].   
Reference is made to the [[Article 32 GDPR|commentary on Article 32 GDPR]].   


Line 309: Line 309:
The contract should list the technical and organisational measures adopted by the processor to ensure the assistance.
The contract should list the technical and organisational measures adopted by the processor to ensure the assistance.


=====(f) Assisting With the Controller's Obligations under [[Article 32 GDPR|Articles 32]] to [[Article 36 GDPR|36 GDPR]]=====
=====(f) Assisting With the Controller's Obligations under Articles 32 to 36 GDPR=====
Under Article 28(3)(f) GDPR, the agreement between the parties provides further details as to how the processor assist the controller in ensuring compliance with [[Article 32 GDPR|Articles 32 - 36 GDPR]].  
Under Article 28(3)(f) GDPR, the agreement between the parties provides further details as to how the processor assist the controller in ensuring compliance with [[Article 32 GDPR|Articles 32 - 36 GDPR]].  


Reference to [[Article 32 GDPR]] means that the processor shall provide assistance on how to best implement effective security measures. This provision seems to create a sort of consultancy role on the processor who not only has to respect Article 32 GDPR in its own structure, but also has to provide assistance to improve the controller’s systems, where necessary.
Reference to [[Article 32 GDPR]] means that the processor shall provide assistance on how to best implement effective security measures. This provision seems to create a sort of consultancy role on the processor who not only has to respect Article 32 GDPR in its own structure, but also has to provide assistance to improve the controller’s systems, where necessary.


In case of data breach ([[Article 33 GDPR|Articles 33 - 34 GDPR]]), the processor shall notify the controller without undue delay.<ref>EDPB, Guidelines on Personal data breach notification under Regulation 2016/679, 6 February 2018, [https://ec.europa.eu/newsroom/article29/items/612052 pp. 13-14].</ref> The EDPB also recommends “''that there is a specific timeframe of notification (e.g. number of hours) and the point of contact for such notifications be provided in the contract. The contracts should finally specify how the processor shall notify the controller in case of a breach''”.<ref>EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf p. 37].</ref>
In case of data breach ([[Article 33 GDPR|Articles 33-34 GDPR]]), the processor shall notify the controller without undue delay.<ref>EDPB, Guidelines on Personal data breach notification under Regulation 2016/679, 6 February 2018, [https://ec.europa.eu/newsroom/article29/items/612052 pp. 13-14].</ref> The EDPB also recommends “''that there is a specific timeframe of notification (e.g. number of hours) and the point of contact for such notifications be provided in the contract. The contracts should finally specify how the processor shall notify the controller in case of a breach''”.<ref>EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf p. 37].</ref>


The processor must provide assistance in case the controller carries out a Data Protection Impact Assessment ([[Article 35 GDPR]]) or if a prior consultation before a DPA is needed under [[Article 36 GDPR]].
The processor must provide assistance in case the controller carries out a Data Protection Impact Assessment ([[Article 35 GDPR]]) or if a prior consultation before a DPA is needed under [[Article 36 GDPR]].
Line 330: Line 330:
While Article 28(2) GDPR specifies the conditions under which the processor may engage other processors, Article 28(4) GDPR contains the legal consequences of subcontracting.  
While Article 28(2) GDPR specifies the conditions under which the processor may engage other processors, Article 28(4) GDPR contains the legal consequences of subcontracting.  


The first sentence obliges the (original) processor to conclude a contract or other legal act with the sub-processor that contains the same obligations as the contract or other legal act concluded between the controller and the (original) processor. Therefore, the sub-processor should especially be obliged to provide respectvisufficient guarantees to implement appropriate technical and organisational measures. The EDPB also clarified that “''this includes the obligation under Article 28(3)(h) to allow for and contribute to audits by the controller or another auditor mandated by the controller''”.<ref>EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 36 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref>
The first sentence obliges the (original) processor to conclude a contract or other legal act with the sub-processor that contains the same obligations as the contract or other legal act concluded between the controller and the (original) processor. Therefore, the sub-processor should especially be obliged to provide respective sufficient guarantees to implement appropriate technical and organisational measures. The EDPB also clarified that “''this includes the obligation under Article 28(3)(h) to allow for and contribute to audits by the controller or another auditor mandated by the controller''”.<ref>EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf?36 p. 36].</ref>


The second sentence clarifies that the processor is also liable to the controller for breaches by the sub-processor.
The second sentence clarifies that the processor is also liable to the controller for breaches by the sub-processor.
Line 344: Line 344:
There are two ways in which standard contractual clauses can be established. On the one hand, the Commission may lay them down in accordance with the examination procedure referred to in [[Article 93 GDPR|Article 93(2) GDPR]] (Article 28(7) GDPR). On the other hand, according to Article 28(8) GDPR, they can also be adopted by a supervisory authority in accordance with the consistency mechanism referred to in [[Article 63 GDPR]].
There are two ways in which standard contractual clauses can be established. On the one hand, the Commission may lay them down in accordance with the examination procedure referred to in [[Article 93 GDPR|Article 93(2) GDPR]] (Article 28(7) GDPR). On the other hand, according to Article 28(8) GDPR, they can also be adopted by a supervisory authority in accordance with the consistency mechanism referred to in [[Article 63 GDPR]].


The Commission has made use of its power under Article 28(7) GDPR for the first time with the implementing decision dated 4 June 2021 and published standard contractual clauses.<ref>Commission, Implementing Decision (EU) 2021/915 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, 4 June 2021, available here https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0915&from=DE.</ref>
The Commission has made use of its power under Article 28(7) GDPR for the first time with the implementing decision dated 4 June 2021 and published standard contractual clauses.<ref>Commission, Implementing Decision (EU) 2021/915 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, 4 June 2021 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0915&from=DE. here]).</ref>


Previously, standard contractual clauses were published in the "EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism" on the initiative of the Danish supervisory authority.<ref>EDPB, 11 December 2019, First standard contractual clauses for contracts between controllers and processors (art. 28 GDPR) at the initiative of DK SA published in EDPB register (available here https://edpb.europa.eu/news/news/2019/first-standard-contractual-clauses-contracts-between-controllers-and-processors-art_de); the standard contractual clauses are available here https://edpb.europa.eu/sites/default/files/files/file2/dk_sa_standard_contractual_clauses_january_2020_en.pdf.</ref>
Previously, standard contractual clauses were published in the "EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism" on the initiative of the Danish supervisory authority.<ref>EDPB, First standard contractual clauses for contracts between controllers and processors (art. 28 GDPR) at the initiative of DK SA published in EDPB register, 11 December 2019 (available [https://edpb.europa.eu/news/news/2019/first-standard-contractual-clauses-contracts-between-controllers-and-processors-art_de here]); and the standard contractual clauses (available [https://edpb.europa.eu/sites/default/files/files/file2/dk_sa_standard_contractual_clauses_january_2020_en.pdf here]).</ref>
=== (9) Form Requirements ===
=== (9) Form Requirements ===
Article 28(9) GDPR states that the contract or the other legal act referred to in Article 28(3) and (4) GDPR shall be in writing and clarifies that the electronic form fulfils this requirement.  
Article 28(9) GDPR states that the contract or the other legal act referred to in Article 28(3)(4) GDPR shall be in writing and clarifies that the electronic form fulfils this requirement.  


=== (10) Consequences in Case of an Excess of the Processor ===
=== (10) Consequences in Case of an Excess of the Processor ===

Revision as of 16:22, 26 August 2021

Article 28 - Processor
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 28 - Processor


1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32;
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).

8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Relevant Recitals

Recital 81: Entrusting a Processor
To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

Commentary

Complex processing often requires outsourcing of a part of the activities to specialised service providers with whom personal data are then shared. Article 28 GDPR responds to this necessity and establishes the legal framework for a cooperation with so-called processors to ensure the protection of the data subjects' rights.

(1) Duty to Use Processors and Minimum Requirements

Processor - Processing Carried Out on Behalf of the Controller

Article 28(1) GDPR names the only requirement for the whole Article to apply: A processing is to be carried out on behalf of a controller. This requirement is consistent with the legal definition of processor from Article 4(8) GDPR, according to which a processor "means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".

The qualification as a processor consists of positive and negative characteristics.

Positively, a processor processes data "on behalf" of the controller. This especially means that they do so under instructions. For further explanations please refer to the commentary on Article 4(8) GDPR.

Negatively, the processing person cannot be considered a processor if they meet the requirements of being a (joint) controller in the sense of Article 4(7) GDPR and Article 26(1) GDPR. In particular, a processing person is not a processor if they (co-)decide on the processing purposes. Please refer to the respective commentaries for further explanations (Article 4(7) and (8) GDPR, Article 26(1)(1) GDPR).

Appropriate Technical and Organisational Measures

The controller may use “only processors providing sufficient guarantees to implement appropriate technical and organisational measures”. Processors should also meet the requirements of the GDPR as a whole and proactively ensure the protection of data subject rights (Article 28(1) GDPR).

According to Recital 81 sentence 1 GDPR "the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing".

The controller is responsible for assessing and selecting the appropriate processor. In doing so, the controller must take into “serious consideration” different elements, including processor’s privacy policies, terms of service, records of processing activities, management and information security policies, reports of external audits, recognised international certifications, like ISO 27000 series.[1]

The controller should also assess the processor’s expert knowledge and technical expertise (with regard to security measures and data breaches), reliability and resources. The reputation of the processor in the market may also be a relevant factor for consideration.[2]

According to the EDPB, the obligation to use only processors “providing sufficient guarantees” is a continuous obligation which does not end with the conclusion of the contract. Rather, the controller should, at appropriate intervals, verify the processor’s guarantees through audits and inspections where appropriate.[3]

Privileged Processing in the Controller-Processor-Relation

According to the prevailing opinion, processing in the controller-processor-relationship is privileged. This means, for example, that no legal basis under Article 6 GDPR is required. In principle, a controller can use a processor if it can demonstrate a corresponding legal basis for its own processing. However, this is not accompanied by a lowering of data protection. Rather, the substantive requirements remain the same. The "reduced" material-legal requirements are compensated for by technical-organisational measures.[4] This view is supported by the fact that the processor is bound by instructions.[5] In addition, Article 4(10) GDPR makes clear that the processor is not a third party, but the processor may be a recipient under Article 4(9) GDPR. This makes it clear that there is no need for a separate legal basis for the transfer to a processor.[6] Hartung also makes a systematic argument. The GDPR holds different obligations for processors and controllers. If Article 28 GDPR did not intend any privileging, this differentiated system, the rules of Article 28 GDPR, in particular Article 28(10) GDPR would be superfluous, as everything could be regulated via the general GDPR rules.[7] Ultimately, this is also historically justified by the fact that the privilege also already existed under the Directive 95/46/EC. This was derived in particular from an opinion of the WP29, which read as follows: "Controller and processor and their staff are therefore considered as the ‘inner circle of data processing’ and are not covered by special provisions on third parties."[8]

Other attempts at explanation, according to which Article 6(1)(f) GDPR is regularly fulfilled in the controller-processor-relationship, Article 28 GDPR represents an independent legal basis in addition to Article 6 GDPR or according to which a united processing operation exists when a processor is used, which does not require a separate justification, must be rejected against this background.[9]

(2) Engagement of Other Processors by the Processor

Article 28(2) GDPR first establishes the general rule that a processor may not engage any other processors. This ensures that the controller remains in control and that the fulfillment of its obligations under Article 28(1) GDPR also bears fruit.

However, Article 28(2) GDPR allows the controller to authorise the processor to engage additional processors. The authorisation must be in advance. It can be specific or in general (Article 28(1) GDPR).

Due to the risks associated with a general authorisation, especially with regard to a possible loss of control, Article 28(2) GDPR provides for an information obligation on the part of the processor. If they engage or replace a processor based on a general authorisation, they are obliged to inform the controller.

Furthermore, it also follows from sentence 2 that the general authorisation cannot be granted without restriction. Rather, the controller always retains the right to object to the processor's engaging or replacing decision after receiving the information.

Article 28(4) GDPR contains further obligations of the processor engaging another processor (see below).

(3) Contract or Other Legal Act Binding the Processor

If the requirement under Article 28(1) GDPR is met, i.e. the processing party is considered a processor, there is an obligation under Article 28(3) GDPR to impose rules regarding this processing that are binding for such processing.

Article 28(3) GDPR contains a list of the minimum content of these rules. The first sentence contains the core content, while the second sentence adds further minimum content. According to Article 28(6) GDPR the contract other legal act can be based, in whole or in part, on standard contractual clauses (see below).

Core Content Pursuant to Sentence 1

The core content of the contract consists of eight elements: (1) the subject-matter and (2) the duration of the processing, (3) the nature and (4) purpose of the processing, (5) the type of personal data, (6) the categories of the data subjects and (7) the obligations and (8) rights of the controller.

The description of the purpose has to be concrete and and conclusive. This is necessary for a clear demarcation from the controller. The processor must not have any leeway in this respect.[10] With regard to the nature of processing, on the other hand, the processor may be given some leeway as to the means of processing.[11]

To determine the rights and obligations of the controller, the following aspects, for example, must be taken into account. According to the GDPR, only the controller decides on deletion, correction and access. In particular, the controller is also responsible for checking the general permissibility and lawfulness of processing and must issue sufficient instructions. In particular, this includes the duty of the controller to appear as such and to create transparency for the data subject.[12]

Further Minimum Content Pursuant to Sentence 2

(a) Documented Instructions

Article 28(3)(a) GDPR requires the processor to process personal data only on documented instructions from the controller, unless otherwise provided for by Union or Member State law. The provision clarifies that this processing also includes transfers in the sense of Articles 44 et seqq. GDPR.

According to the EDPB, the instructions shall refer to each processing activity and can include “permissible and unacceptable handling of personal data, more detailed procedures, ways of securing data, etc. The processor shall not go beyond what is instructed by the controller”.[13]

The contract can provide the parties with procedures and templates to communicate “documented” instructions. Instructions, however, can be given by different means (e.g. e-mail), as long as it is possible to keep records of them.

The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR.

Where Union or Member State law requires a processor to process the data, the processor shall be exempt from the obligation to do so only on documented instructions. However, they then shall inform the controller of that legal requirement before the processing, unless that law prohibits such information on important grounds of public interest.

(b) Confidentiality

Persons authorised to process the personal data are employees and temporary workers involved in the processing activities. Under Article 28 (3)(b) GDPR, authorised persons are committed to confidentiality. This may be arranged either via a specific contractual agreement or statutory obligations already in place.

(c) Measures Required by Article 32 GDPR

Reference is made to the commentary on Article 32 GDPR.

(d) Engaging a Sub-Processor

The contract must further respect the conditions referred to in paragraphs 2 and 4 (see above and below).

(e) Assisting With the Controller's Obligation to Respond to Data Subject's Requests

Dealing with data subjects' rights requests is an obligation of the controller under Articles 12-22 GDPR. However, according to Article 28(3)(e) GDPR, the processors shall be obliged to assist the controller for the fulfilment of its obligations.

Typically, the assistance consists in promptly forwarding any request received from data subjects. However, in some circumstances, the processor will be given more specific, technical duties, especially when it is in the position of extracting and managing the personal data.

The contract should list the technical and organisational measures adopted by the processor to ensure the assistance.

(f) Assisting With the Controller's Obligations under Articles 32 to 36 GDPR

Under Article 28(3)(f) GDPR, the agreement between the parties provides further details as to how the processor assist the controller in ensuring compliance with Articles 32 - 36 GDPR.

Reference to Article 32 GDPR means that the processor shall provide assistance on how to best implement effective security measures. This provision seems to create a sort of consultancy role on the processor who not only has to respect Article 32 GDPR in its own structure, but also has to provide assistance to improve the controller’s systems, where necessary.

In case of data breach (Articles 33-34 GDPR), the processor shall notify the controller without undue delay.[14] The EDPB also recommends “that there is a specific timeframe of notification (e.g. number of hours) and the point of contact for such notifications be provided in the contract. The contracts should finally specify how the processor shall notify the controller in case of a breach”.[15]

The processor must provide assistance in case the controller carries out a Data Protection Impact Assessment (Article 35 GDPR) or if a prior consultation before a DPA is needed under Article 36 GDPR.

(g) Deleting or Returning Personal Data

The controller can decide whether personal data (including existing copies) shall be deleted or returned after the end of the provision of the processor's services unless the Union or Member State law requires storage of the personal data. If the controller chooses that the personal data be deleted, the processor should ensure that the deletion is performed in a secure manner. The processor should confirm to the controller that the deletion has been completed within an agreed timescale and manner.[16]

(h) Provision of Compliance Demonstrating Information and Contribution to Audits

According to Article 28(3)(h) GDPR, the processor should be obliged to provide to the controller all information necessary to demonstrate compliance with all the aforementioned obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.[17]

Obligation to Notify the Controller in Case of Infringing Instructions

Finally, according to Article 28(3) GDPR, the processor must immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. It is advisable to record the results of the inspections carried out by the person responsible so that, if necessary, proof of the inspections carried out can be provided to the supervisory authorities at a later date.

(4) Sub-Processing

While Article 28(2) GDPR specifies the conditions under which the processor may engage other processors, Article 28(4) GDPR contains the legal consequences of subcontracting.

The first sentence obliges the (original) processor to conclude a contract or other legal act with the sub-processor that contains the same obligations as the contract or other legal act concluded between the controller and the (original) processor. Therefore, the sub-processor should especially be obliged to provide respective sufficient guarantees to implement appropriate technical and organisational measures. The EDPB also clarified that “this includes the obligation under Article 28(3)(h) to allow for and contribute to audits by the controller or another auditor mandated by the controller”.[18]

The second sentence clarifies that the processor is also liable to the controller for breaches by the sub-processor.

(5) Codes of Conduct

Article 28(5) GDPR gives the processor the option of demonstrating sufficient guarantees through adherence of a processor to an approved code of conduct as referred to in Article 40 GDPR or an approved certification mechanism as referred to in Article 42 GDPR. In this case, the demonstration is not automatically deemed to have been provided. Rather, it must be decided in each case, taking into account the specific processing, the code of conduct and the certification procedure.[19] In this context, it should be noted that, according to the wording "element", the aforementioned adherence should only be used as a factor, i.e. as an indication, and thus an overall assessment of the controller based on all the information and evidence available to them is still required (cf. Recital 81 sentence 2 GDPR).[20]

(6) to (8) Standard Contractual Clauses

Article 28(6) GDPR introduces the possibility to base the contract or other legal act in whole or in part on standard contractual clauses. This option has the potential to create simple and recognised contractual clauses, especially for largely standardised processes and processing such as cloud, hosting and infrastructure services or also software-as-a-service offerings, which might create a balanced and data protection-friendly framework for the controller, the processor but also the data subjects.[21]

According to this provision, the use of standard contractual clauses can also be considered in connection with an officially recognised certification granted to the controller or processor pursuant to Articles 42 and 43 GDPR.[22]

There are two ways in which standard contractual clauses can be established. On the one hand, the Commission may lay them down in accordance with the examination procedure referred to in Article 93(2) GDPR (Article 28(7) GDPR). On the other hand, according to Article 28(8) GDPR, they can also be adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 63 GDPR.

The Commission has made use of its power under Article 28(7) GDPR for the first time with the implementing decision dated 4 June 2021 and published standard contractual clauses.[23]

Previously, standard contractual clauses were published in the "EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism" on the initiative of the Danish supervisory authority.[24]

(9) Form Requirements

Article 28(9) GDPR states that the contract or the other legal act referred to in Article 28(3)(4) GDPR shall be in writing and clarifies that the electronic form fulfils this requirement.

(10) Consequences in Case of an Excess of the Processor

The processor is not entitled to determine the purposes and means of the processing. If they nevertheless take over the processing, they are deemed to be controllers with regard to this processing pursuant to Article 28(10) GDPR. This concerns cases in which the processor unlawfully exceeds his powers, although the decision-making power lies with the controller.[25] In this respect, one can also speak of a task or function excess.[26] Any liability under Articles 82, 83 and 84 remains unaffected. The processor loses its privileged status with regard to liability. They are subject to all the obligations of a controller set out in the Regulation.[27]

Decisions

→ You can find all related decisions in Category:Article 28 GDPR

References

  1. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 29.
  2. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 30.
  3. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 30.
  4. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 13, 15 (Beck 2020, 3rd ed.) (accessed 25 August 2021).
  5. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 16 (Beck 2020, 3rd ed.) (accessed 25 August 2021).
  6. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 17 (Beck 2020, 3rd ed.) (accessed 25 August 2021).
  7. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 18 (Beck 2020, 3rd ed.) (accessed 25 August 2021).
  8. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 18 (Beck 2020, 3rd ed.) (accessed 25 August 2021) with reference to WP29, Opinion 1/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 6.
  9. See only Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 20 - 23 (Beck 2020, 3rd ed.) (accessed 25 August 2021) providing further arguments.
  10. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 65 (Beck 2020, 3nd ed.) (accessed 25 August 2021); Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 20 (Beck 2018, 2nd ed.) (accessed 25 August 2021).
  11. Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 20 (Beck 2018, 2nd ed.) (accessed 25 August 2021) with reference to WP29, Opinion 1/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 17.
  12. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 66 (Beck 2020, 3nd ed.) (accessed 25 August 2021).
  13. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 34.
  14. EDPB, Guidelines on Personal data breach notification under Regulation 2016/679, 6 February 2018, pp. 13-14.
  15. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 37.
  16. In these exact terms EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 38.
  17. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 78 (Beck 2020, 3nd ed.) (accessed 25 August 2021).
  18. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 36.
  19. Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 31 (Beck 2018, 2nd ed.) (accessed 25 August 2021).
  20. Cf. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 59 (Beck 2020, 3nd ed.) (accessed 25 August 2021).
  21. Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 25 GDPR, margin number 31 (Beck 2018, 2nd ed.) (accessed 25 August 2021).
  22. Cf. Klug, in Gola, Basic Data Protection Regulation, Article 25 GDPR, margin number 16 (Beck 2018, 2nd ed.) (accessed 25 August 2021).
  23. Commission, Implementing Decision (EU) 2021/915 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, 4 June 2021 (available here).
  24. EDPB, First standard contractual clauses for contracts between controllers and processors (art. 28 GDPR) at the initiative of DK SA published in EDPB register, 11 December 2019 (available here); and the standard contractual clauses (available here).
  25. Spoerr, in BeckOK DatenschutzR, Article 28 GDPR, margin number 104 (Beck 2020, 36th ed.) (accessed 25 August 2021).
  26. Spoerr, in BeckOK DatenschutzR, Article 28 GDPR, margin number 104 (Beck 2020, 36th ed.) (accessed 25 August 2021) with reference to Martini, in Paal, Pauly, DS-GVO BDSG, Article 28 GDPR, margin number 104 (Beck 2021, 3rd ed.) (accessed 25 August 2021).
  27. Spoerr, in BeckOK DatenschutzR, Article 28 GDPR, margin number 104 (Beck 2020, 36th ed.) (accessed 25 August 2021).