Article 28 GDPR: Difference between revisions

From GDPRhub
(Undo revision 11491 by 10.90.129.3 (talk))
Tag: Undo
(43 intermediate revisions by 6 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<br /><center>'''Article 28 - Processor'''</center><br />
<br /><center>'''Article 28 - Processor'''</center>


<span id="1">1.  Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.</span>
<span id="1">1.  Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.</span>
Line 201: Line 201:
::<span id="3d">(d)  respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;</span>
::<span id="3d">(d)  respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;</span>


::<span id="3e">(e)  taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down inCHAPTER III;</span>
::<span id="3e">(e)  taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;</span>


::<span id="3f">(f)  assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;</span>
::<span id="3f">(f)  assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;</span>
Line 226: Line 226:


==Relevant Recitals==
==Relevant Recitals==
<span id="r40">
{{Recital/81 GDPR}}
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 81:''' The controller should use only processors providing sufficient guarantees</div>
<div class="mw-collapsible-content">
To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.
</div></div>


==Commentary==
==Commentary==
Complex processing often requires the outsourcing of certain activities to specialised service providers with whom personal data are then shared (“processors”). Article 28 GDPR addresses this scenario and establishes the legal framework for such cooperation, thereby ensuring the protection of the data subjects' rights as well as general GDPR compliance. 


==Overview==
===(1) Duty to Use Processors and Minimum Requirements ===
Complex processing often requires outsourcing of a part of the activities to specialised service providers with whom personal data are then shared. Under the common data protection framework, such disclosure is acceptable provided that both controller and third parties – in this case, ''processors'' – put in place appropriate safeguards to protect the personal data and ensure general compliance with the Regulation.
Article 28 GDPR governs the relationship between the controller and the processor. Controllers can only work with processors who can provide guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. The controller must be able to demonstrate the required technical knowledge, expertise and resources to provide adequate guarantees.


==Article 28 (1)==
====Processor - Processing Carried Out on Behalf of the Controller====
The definition of processor consists of positive and negative characteristics. Positively, a processor processes data "''on behalf''" of the controller ([[Article 4 GDPR|Article 4(8) GDPR]]), meaning that they do so under instructions.<ref>See the commentary on [https://gdprhub.eu/Article%204%20GDPR Article 4(8)] for more information.</ref> Negatively, the processing person cannot be considered a processor if they meet the requirements of being a (joint) controller in the sense of [[Article 4 GDPR|Article 4(7) GDPR]] and [[Article 26 GDPR|Article 26(1) GDPR]].


===On behalf of the controller===
====Appropriate Technical and Organisational Measures====
The processor does not determine the purposes and means of the processing and entirely depends on the controller’s instructions. If the processor violates the instruction or processes the data for any other different purpose, then it ceases to qualify as processor.
The controller may only use “''processors providing sufficient guarantees to implement appropriate technical and organisational measures''”. According to Recital 81 GDPR, the assessment shall be done ''"in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of'' [the] ''Regulation, including for the security of processing''". More precisely, the controller will have to take into “''serious consideration''” different elements, including the processor’s privacy policies, terms of service, records of processing activities, management and information security policies, reports of external audits as well as recognised international certifications (e.g. ISO 27000 series). The controller should also assess the processor’s expert knowledge and technical expertise of security measures and data breaches, reliability and resources. The reputation of the processor in the market may also be a relevant factor. The obligation to use only processors “''providing sufficient guarantees''” is a continuous one which does not end with the conclusion of the contract. Rather, the controller should verify the processor’s guarantees through audits and inspections at appropriate intervals.<ref>EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 31 (available [https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf here]).</ref>


===Sufficient guarantees===
==== Privileged Processing in the Controller-Processor-Relation ====
The controller may use “''only processors providing sufficient guarantees to implement appropriate technical and organisational measures''. Processors should also meet the requirements of the GDPR as a whole and proactively ensure the protection of data subject rights (Art. 28 (1) GDPR).
It is generally accepted that processing in the controller-processor relationship is privileged. This notably means that no legal basis under Article 6 GDPR is required for the sharing of personal data between the two parties. This does not weaken the standard of data protection because the "''reduced''" material legal requirements are compensated for by technical and organisational measures. This view is supported by the fact that the processor is bound by the controller’s instructions.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 13, 15-16 (C.H. Beck 2020, 3rd Edition).</ref> In addition, ''Hartung'' also makes a systematic argument based on the GDPR’s different obligations for processors and controllers. If Article 28 GDPR did not intend any privilege, the rules of Article 28 GDPR, and in particular of Article 28(10) GDPR, would be superfluous as everything could be regulated via the general GDPR rules.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).</ref> Ultimately, this is historically justified by the fact that the privilege already existed under the Directive 95/46/EC as already affirmed by the WP29: "''controller and processor and their staff are (…) considered as the ‘inner circle of data processing’ and are not covered by special provisions on third parties.''"<ref>WP29, ‘Opinion 1/2010 on the concepts of "controller" and "processor"’, 00264/10/EN WP 169, 16 February 2010, p. 6 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref>
===(2) Engagement of Other Processors by the Processor===
Article 28(2) GDPR prevents the processor from engaging with further processors without prior specific or general written authorisation of the controller, because the latter remains responsible for the processing operations. In cases of general written authorisations, the EDPS has recommended that at the time when it is given, processors provide controllers with a list of sub-processors, details as to the type of processing, its relation to specific products or services, and the relevant data protection safeguards that will be in place when processing is undertaken by specific sub-processors.<ref>''Millard/Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 28 GDPR, p. 131 (Oxford University Press 2020).</ref>


The controller is responsible for assessing and selecting the appropriate processor. In doing so, the controller must take into ''serious consideration''” different elements, including processor’s privacy policies, terms of service, records of processing activities, management and information security policies, reports of external audits, recognised international certifications, like ISO 27000series. [[Article 28 GDPR#%20ftn1|[1]]]
If the processor decides to change any of the above (e.g. replace a sub-processor), the controller must be informed so that it can object to such change. According to the EDPS, the opportunity to object must be "''meaningful''".<ref>EDPS, ‘EDPS Public Paper on Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services’, 2 July 2020, margin number 71 (available [https://edps.europa.eu/sites/edp/files/publication/20-07-02_edps_euis_microsoft_contract_investigation_en.html here]).</ref> This implies that a ‘take-it -or-leave-it’ scenario, "''whereby the sole and exclusive remedy of the controller is to terminate its contract with the processor, would not be a meaningful remedy''". This is because, "''in the EDPS’ view, if terminating one service means having to terminate an entire suite of services and if a controller does not consider that a viable business option, that would result in the controller having no choice but to accept a sub-processor''".<ref>''Millard/Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 28 GDPR, p. 131 (Oxford University Press 2020).</ref>


The controller should also assess the processor’s expert knowledge and technical expertise (with regard to security measures and data breaches), reliability and resources. The reputation of the processor in the market may also be a relevant factor for consideration. [[Article 28 GDPR#%20ftn2|[2]]]
For specific written authorisations, the EDPB has suggested that these could refer to a specific sub-processor for a specific processing activity and at a specific time and if a processor’s request for a specific authorisation is not answered to within the set time-frame, it should be held as denied. Therefore, according to the EDPB the difference between general and specific authorisations has to do with the interpretation of the controller’s non-response to a request. With regard to "''a general authorisation, the controller’s silence is to be interpreted as an authorisation. In contrast, with regard to a specific authorisation, the controller’s silence is to be interpreted as a refusal to provide authorisation for the specific sub-processor(s) for which the processor is requesting authorisation''".<ref>''Millard/Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 28 GDPR, p. 132 (Oxford University Press 2020)</ref>


According to the EDPB, the obligation to use only processors “providing sufficient guarantees” is a continuous obligation which does not end with the conclusion of the contract. Rather, the controller should, at appropriate intervals, verify the processor’s guarantees through audits and inspections where appropriate.
In both cases, the EDPB has suggested that the relevant communication procedures and timeframes must be included in the controller-processor contract, and that such timeframe must be reasonable depending on the type and complexity of processing. Article 28(4) GDPR contains further obligations of the processor engaging another processor (see below).
===(3) Contract or Other Legal Act Binding the Processor ===
The relationship between controller and processor must be defined by a written contract<ref>Without prejudice to "''any individual contract between them, the controller and processor can also manage the requirements of Article 28(3) and (4) via standard contractual clauses that the European Commission has issued or a supervisory authority has adopted under Article 28(8)''". See, ''Millard/Kamarinou'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 28 GDPR, p. 606 (Oxford University Press 2020).</ref> or another legally binding act. This is necessary to ensure a transparent allocation of responsibilities and liabilities both internally (between controllers and processors) and externally (towards data subjects and regulators).<ref>See ''Millard/Kamarinou'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 28 GDPR, p. 606 (Oxford University Press 2020).</ref> Under Article 28(3) GDPR, the core content of such contract consists of eight elements: (1) the subject-matter, (2) the duration of the processing, (3) the nature<ref>With regard to the nature of processing, the processor may be given some leeway as to the means of processing. ''Bertermann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 20 (C.H. Beck 2018, 2nd Edition) with reference to WP29, ‘Opinion 1/2010 on the concepts of "controller" and "processor"’, 00264/10/EN WP 169, 16 February 2010, p. 17 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).


==Article 28 (2)==
</ref> and (4) purpose of the processing<ref>The description of the purpose has to be concrete and conclusive. This is necessary to define the roles and the controller's responsibilities. The processor must not have any leeway in this respect. See, ''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 65 (C.H. Beck 2020, 3rd Edition); ''Bertermann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 20 (C.H. Beck 2018, 2nd Edition).</ref>, (5) the type of personal data, (6) the categories of the data subjects and (7) the obligations and rights of the controller.<ref>To determine the rights and obligations of the controller, the following aspects, for example, must be taken into account. According to the GDPR, only the controller decides on deletion, correction and access. In particular, the controller is also responsible for checking the general permissibility and lawfulness of processing and must issue sufficient instructions. In particular, this includes the duty of the controller to appear as such and to create transparency for the data subject. See, ''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 66 (C.H. Beck 2020, 3rd Edition).</ref> The second part of Article 28(3) GDPR provides a list of elements which must be specifically provided for in the agreement between controller and processor.
=====(a) Documented Instructions=====
The contract must oblige the processor to only act on documented instructions from the controller, unless otherwise provided for by Union or Member State law. The provision clarifies that this processing also includes transfers in the sense of [[Article 44 GDPR|Articles 44 et seqq. GDPR]]. According to the EDPB, these instructions shall refer to each processing activity and can include “''permissible and unacceptable handling of personal data, more detailed procedures, ways of securing data, etc. The processor shall not go beyond what is instructed by the controller''”.<ref>EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 35 (available [https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf here]).</ref> The contract can provide the parties with procedures and templates to communicate “''documented''” instructions. However, instructions can be given by different means (e.g. e-mail) as long as it is possible to keep records of them. The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR. Where Union or Member State law requires a processor to process the data, it shall be exempt from the obligation to do so only on documented instructions. However, it must then inform the controller of the relevant legal requirement before carrying out the processing operation, unless that law prohibits such information on important grounds of public interest.


===Contract===
=====(b) Confidentiality =====
A controller and a processor who enter into a data protection agreement are obliged to sign a written contract (including in electronic form, Article 28 (9) GDPR) to document and specify the scope of the processor’s action, powers and obligations of the parties.  
Persons authorised to process personal data are the employees and temporary workers involved in the processing activities. Under Article 28 (3)(b) GDPR, authorised persons are committed to confidentiality. This may be arranged either via a specific contractual agreement or statutory obligations already in place.  


Such a contract shall set out at least “''the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller''” (Article 28 (3) GDPR).
=====(c) Measures Required by Article 32 GDPR =====
Please refer to the [[Article 32 GDPR|commentary under Article 32 GDPR]].


The controller and processor can also manage the requirements of Article 28(3) and (4) via standard contractual clauses that the European Commission has issued or a supervisory authority has adopted under Article 28(8) GDPR. [[Article 28 GDPR#%20ftn3|[3]]]
===== (d) Engaging a Sub-Processor =====
Processors must act under the instructions of the controller. As explained above, processors should obtain prior specific or general authorisation to use sub-processors or to change arrangements with existing sub-processors. The contract must further regulate these aspects.<ref>See Paragraph 4 on “Sub-Processing” below.</ref>


====Documented instructions====
=====(e) Assisting With the Controller's Obligation to Respond to Data Subject's Requests=====
Article 28 (3)(a) GDPR requires the processor to treat personal data only on documented instructions from the controller.
Dealing with data subjects' requests is a controller’s obligation under [[Article 12 GDPR|Articles 12-22 GDPR]]. According to Article 28(3)(e) GDPR, the processors shall nevertheless be obliged to assist the controller with the fulfilment of these obligations. Typically, this consists of promptly forwarding any requests received from data subjects. However, in some circumstances the processor will be given more specific, technical duties, especially when it is in the position of extracting and managing the personal data. The contract should list the technical and organisational measures adopted by the processor to enable the assistance.  


According to the EDPB, the instructions shall refer to each processing activity and can include “''permissible and unacceptable handling of personal data, more detailed procedures, ways of securing data, etc. The processor shall not go beyond what is instructed by the controller''”. [[Article 28 GDPR#%20ftn4|[4]]]
=====(f) Assisting With the Controller's Obligations under Articles 32 to 36 GDPR=====
Under Article 28(3)(f) GDPR, the agreement between the parties provides further details as to how the processor should assist the controller in complying with [[Article 32 GDPR|Articles 32 - 36 GDPR]]. The reference to [[Article 32 GDPR]] indicates that the processor shall provide assistance on how to best implement effective security measures. When a data breach occurs ([[Article 33 GDPR|Articles 33-34 GDPR]]), the processor shall notify the controller without undue delay. The EDPB also recommends “''to include in the contract a specific timeframe (e.g. number of hours) by which the processor should notify the controller, as well as the point of contact for such notifications, the modality and the minimum content expected by the controller''.” Moreover, the Board notes that “''The contractual arrangement between the controller and the processor may also include an authorisation and a requirement for the processor to directly notify a data breach in accordance with Articles 33 and 34, but the legal responsibility for the notification remains with the controller''”.<ref>EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 39 (available [https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf here]).</ref> The processor must provide assistance in case the controller carries out a Data Protection Impact Assessment ([[Article 35 GDPR]]) or if a prior consultation before a DPA is needed under [[Article 36 GDPR]].


The contract can provide the parties with procedures and templates to communicate “documented” instructions. Instructions, however, can be given by different means (e.g. e-mail), as long as it is possible to keep records of them.
=====(g) Deleting or Returning Personal Data=====
The controller can decide whether personal data (including existing copies) shall be deleted or returned after the end of the provision of the processor's services unless the Union or Member State law requires storage of the personal data. If the controller chooses that the personal data be deleted, the processor should ensure that the deletion is performed in a secure manner. The processor should confirm to the controller that the deletion has been completed in keeping with an agreed timescale and manner.<ref>In these exact terms: EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 40 (available [https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf here]).</ref>


The rule “''no action without instruction''” also applies to transfers of personal data to a third country or international organisation, as expressly provided for by Article 28 (3)(a) GDPR. The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR.
=====(h) Provision of Compliance Demonstrating Information and Contribution to Audits=====
According to Article 28(3)(h) GDPR, the processor should provide all information necessary to demonstrate compliance with all the aforementioned obligations to the controller, and allow for as well as contribute to audits, including inspections, conducted by the controller or another auditor.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 78 (C.H. Beck 2020, 3rd Edition).</ref>


====Unless required to do so by Union or Member State law====
===== Obligation to Notify the Controller in Case of Infringing Instructions =====
A processor can also process data without, against or above controller’s instructions if required to do so by EU law or other applicable Member State law. For this reason, it seems important to carefully negotiate data processing agreements, also with regard to the existence of any such legal requirement.
The final sentence of Article 28(3) GDPR requires the processor to immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. It is advisable to record the results of the inspections carried out by the person responsible so that, if necessary, proof of these can be provided to the supervisory authorities at a later date.  


====Authorised persons====
===(4) Sub-Processing===
Persons authorised to process the personal data are employees and temporary workers involved in the processing activities. Under Article 28 (3)(b) GDPR, authorised persons are committed to strict confidentiality. This may occur either via a specific contractual agreement or statutory obligations already in place.
While Article 28(2) GDPR specifies the conditions under which the processor may engage other processors, Article 28(4) GDPR contains the legal consequences of subcontracting. The first sentence obliges the (original) processor to conclude a contract or other legal act with the sub-processor that contains the same obligations as the one concluded with the controller and the processor. Therefore, the sub-processor should also provide sufficient guarantees that it implemented appropriate technical and organisational measures. The EDPB clarified that “''this includes the obligation under Article 28(3)(h) to allow for and contribute to audits by the controller or another auditor mandated by the controller''”.<ref>EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 40 (available [https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf here]).</ref> The second sentence lays out that the (original) processor is liable to the controller for breaches by the sub-processor.


====Security measures====
===(5) Codes of Conduct ===
The contract should list the technical and organisational measures adopted by the processor to ensure the security of the processing.  
Article 28(5) GDPR gives the processor the option of demonstrating sufficient guarantees through adherence to an approved code of conduct ([[Article 40 GDPR]]) or an approved certification mechanism ([[Article 42 GDPR]]). Whether this adherence is real and has been demonstrated must be decided in each case, taking into account the specific processing, the code of conduct and/or the certification procedure.<ref>''Bertermann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 31 (C.H. Beck 2018, 2nd Edition).</ref> Moreover, it should be pointed out that adherence to such systems is only a “''element''” by which to demonstrate sufficient guarantees.. Thus, an overall assessment of the controller based on all the information and evidence available to them is still required (cf. Recital 81 sentence 2 GDPR).<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 59 (C.H. Beck 2020, 3rd Edition).</ref>


The controller can interact with the processor while choosing the security measures. However, the level of such interaction depends on the specific circumstances of the processing. These measures, which the parties initially agree on, cannot be changed without the controller’s approval. [[Article 28 GDPR#%20ftn5|[5]]]
=== (6) to (8) Standard Contractual Clauses ===
Article 28(6) GDPR introduces the possibility to base the contract or other legal act in whole or in part on standard contractual clauses. This option has the potential to create simple and recognised contractual clauses, especially for largely standardised processes and processing such as cloud, hosting and infrastructure services or also software-as-a-service offerings, which creates a balanced and data protection-friendly framework for controllers, processors, as well as data subjects.<ref>''Bertermann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 31 (C.H. Beck 2018, 2nd Edition).</ref> According to this provision, the use of standard contractual clauses can also be considered in connection with an officially recognised certification granted to the controller or processor pursuant to [[Article 42 GDPR|Articles 42]] and [[Article 43 GDPR|43 GDPR]].<ref>''Klug'', in Gola, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 16 (C.H. Beck 2018, 2nd Edition).</ref>


In accordance with Article 31(1)(d) GDPR, the contract should also describe which type of process is in place to assess appropriateness and effectiveness of the existing security measures.  
There are two ways in which standard contractual clauses can be established. On the one hand, the Commission may lay them down in accordance with the examination procedure referred to in [[Article 93 GDPR|Article 93(2) GDPR]] (Article 28(7) GDPR). On the other hand, they can also be adopted by a supervisory authority in accordance with the consistency mechanism referred to in [[Article 63 GDPR]] (Article 28(8) GDPR). The Commission has made use of its power under Article 28(7) GDPR and published standard contractual clauses for the first time with the implementing decision dated 4 June 2021.<ref>Commission, Implementing Decision (EU) 2021/915 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, 4 June 2021 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0915&from=DE. here]).</ref> Previously, standard contractual clauses were published in the "''EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism''".<ref>Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism (available [https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-decisions_en here])</ref>


====Sub-processing====
=== (9) Form Requirements ===
The data processing agreement must regulate the case of sub-processing which takes place when a processor engages another entity to carry out a part of the operations.
Article 28(9) GDPR states that the contract or the other legal act referred to in Article 28(3)(4) GDPR shall be in writing and clarifies that the electronic form fulfils this requirement.  
 
In principle, such choice is not possible unless the controller gives a prior written authorization. The authorization can be general or specific (Article 28(2) GDPR). In case of general authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
 
If the processor obtains the controller’s authorization, then Article 28(4) GDPR becomes relevant. It follows that, where a processor engages another processor for carrying out specific activities, the same data protection obligations as set out in the “main” data processing agreement (between controller and processor) shall be imposed on that other processor by way of (another) contract (or other legal act). [[Article 28 GDPR#%20ftn6|[6]]]
 
The EDPB also clarified that “''This includes the obligation under Article28(3)(h) to allow for and contribute to audits by the controller or another auditor mandated by the controller''”. [[Article 28 GDPR#%20ftn7|[7]]]
 
====Cooperation in addressing rights exercise requests====
Dealing with data subjects rights requests is a precise duty of the controller under Article 12 – 22 GDPR. However, under Article 28(3)(e) GDPR, processors are not exempted from providing the controller with adequate assistance in that regard.
 
Typically, the assistance consists in promptly forwarding any request received from data subjects. However, in some circumstances, the processor will be given more specific, technical duties, especially when it is in the position of extracting and managing the personal data.
 
====Further assistance (Articles 32 - 36)====
Under Article 28(3)(f) GDPR, the agreement between the parties provides further details as to how the processor assist the controller in ensuring compliance with Articles 32 to 36.
 
Reference to Article 32 means that the processor shall provide assistance on how to best implement effective security measures. This provision seems to create a sort of consultancy role on the processor who not only has to respect Article 32 in its own structure, but also has to provide assistance to improve the controller’s systems, where necessary.
 
In case of data breach (Article 33 - 34 GDPR), the processor shall notify the controller without undue delay. [[Article 28 GDPR#%20ftn8|[8]]] The EDPB also recommends “''that there is a specific timeframe of notification (e.g. number of hours) and the point of contact for such notifications be provided in the contract. The contracts should finally specify how the processor shall notify the controller in case of a breach''”. [[Article 28 GDPR#%20ftn9|[9]]]
 
The processor must provide assistance in case the controller carries out a Data Protection Impact Assessment (Article 35) or if a prior consultation before a DPA is needed under Article 36 GDPR.
 
====Deletion of data====
The controller can decide whether personal data shall be deleted or returned by specifying it in the contract. If the controller chooses that the personal data be deleted, the processor should ensure that the deletion is performed in a secure manner, also in order to comply with Article 32 GDPR. The processor should confirm to the controller that the deletion has been completed within an agreed timescale and manner.[[Article 28 GDPR#%20ftn10|[10]]]
 
====Demonstrate compliance and allow for audits====
The controller can (and should), at appropriate intervals, verify the processor’s GDPR compliance through audits and inspections (Article 28 (3)(h) GDPR). However, in practice, it seems not clear what the real scope of such audit rights is.
 
In assessing the first version of the draft controller/processor clauses submitted by the Danish Authority[[Article 28 GDPR#%20ftn11|[11]]], the EDPB showed a certain criticism towards the excessive restriction of the controller’s audit rights. In particular, the Board criticises the drafting of clause 12.3, which, in its original version, seemed to “''limit this right of the data controller vis-a-vis the sub-processor'' (“''if applicable''” ''and'' “''performed through the Data processor''”)”.
 
The Board therefore requests “''that the Danish SA redrafts clause 12.3 in order to be in full compliance with the GDPR. This can be done by merging clauses 12.2 and 12.3 as follows'': “''Procedures applicable to the data controller’s audits, including inspections of the data processor and the data sub-processor are specified in appendices C6 and C7 to the standard contractual clauses''” (para 44).
 
The Danish Authority accepted the EDPB suggestion and, in line with such guidance, modified the wording of Appendix C7, which now seems to afford full protection of the controller’s audit rights:
 
“''The data controller or the data controller’s representative shall [STATE TIME PERIOD] perform a physical inspection of the places, where the processing of personal data is carried out by the data processor, including physical facilities as well as systems used for and related to the processing to ascertain the data processor’s compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses. In addition to the planned inspection, the data controller may perform an inspection of the data processor when the data controller deems it required''”.
 
Since the above-mentioned version of the Danish Standard Contractual Clauses has been approved by the EDPB, it is not unreasonable to conclude that the Board has accepted such broad interpretation of the audit rights.
 
===Article 28 (3)===
====Unlawful instructions====
According to Article 28 (3) GDPR, the processor must immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions
----[[Article 28 GDPR#%20ftnref1|[1]]] EDPB, ''Guidelines 07/2020 on the concepts of controller and processor in the GDPR'', p. 29.
 
[[Article 28 GDPR#%20ftnref2|[2]]] EDPB, ''Guidelines 07/2020 […]'', p. 30.
 
[[Article 28 GDPR#%20ftnref3|[3]]] Rücker, D., & In Kugler, T. (2018). ''New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice''.
 
[[Article 28 GDPR#%20ftnref4|[4]]] EDPB, ''Guidelines 07/2020 […]'', p. 34.
 
[[Article 28 GDPR#%20ftnref5|[5]]] The EDPB clarified that in “''some cases, the controller may provide a clear a detailed description of the security measures to be implemented. In other cases, the controller may describe the minimum security objectives to be achieved, while requesting the process or to propose implementation of specific security measures''” (EDPB, ''Guidelines 07/2020 […]'', p. 35).
 
[[Article 28 GDPR#%20ftnref6|[6]]] According to Rücker, D., & In Kugler, T. […], p. 227, (cit.) “''To ensure lawful sub-processing, the data protection obligations and responsibilities of all actors involved must, however, be clearly allocated. Chains of (sub-)processors that would dilute or even prevent effective control and clear responsibility for processing activities, must be avoided.''”
 
[[Article 28 GDPR#%20ftnref7|[7]]] EDPB, ''Guidelines 07/2020'' […], p. 36.
 
[[Article 28 GDPR#%20ftnref8|[8]]] EDPB, ''Guidelines on Personal data breach notification under Regulation 2016/679'', WP250rev.01, 6 February 2018, p.13-14
 
[[Article 28 GDPR#%20ftnref9|[9]]] EDPB, ''Guidelines 07/2020'' […], p. 37.
 
[[Article 28 GDPR#%20ftnref10|[10]]] In these exact terms, EDPB, ''Guidelines 07/2020'' […], p. 38.
 
[[Article 28 GDPR#%20ftnref11|[11]]] EDPB, ''Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DKSA'', 9 July 2019


=== (10) Consequences in Case of an Excess of the Processor ===
The processor is not entitled to determine the purposes and means of the processing. If it nevertheless takes over the processing, it is deemed a controller with regard to this processing pursuant to Article 28(10) GDPR. This provision governs cases where the processor unlawfully exceeds its powers because the decision-making power lies with the controller.<ref>''Spoerr'', in Wolff, Brink, BeckOK Datenschutzrecht, Article 28 GDPR, margin number 104 (Beck 2021, 39th Edition).</ref>  Any liability under Articles 82, 83 and 84 remains unaffected. The processor loses its privileged status with regard to liability, and is subject to all the obligations of a controller set out in the Regulation.<ref>''Spoerr'', in Wolff, Brink, BeckOK Datenschutzrecht, Article 28 GDPR, margin number 104 (Beck 2021, 39th Edition).</ref>
==Decisions==
==Decisions==
→ You can find all related decisions in [[:Category:Article 28 GDPR]]
→ You can find all related decisions in [[:Category:Article 28 GDPR]]

Revision as of 10:33, 27 April 2022

Article 28 - Processor
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 28 - Processor

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32;
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).

8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Relevant Recitals

Recital 81: Entrusting a Processor
To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

Commentary

Complex processing often requires the outsourcing of certain activities to specialised service providers with whom personal data are then shared (“processors”). Article 28 GDPR addresses this scenario and establishes the legal framework for such cooperation, thereby ensuring the protection of the data subjects' rights as well as general GDPR compliance.

(1) Duty to Use Processors and Minimum Requirements

Article 28 GDPR governs the relationship between the controller and the processor. Controllers can only work with processors who can provide guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. The controller must be able to demonstrate the required technical knowledge, expertise and resources to provide adequate guarantees.

Processor - Processing Carried Out on Behalf of the Controller

The definition of processor consists of positive and negative characteristics. Positively, a processor processes data "on behalf" of the controller (Article 4(8) GDPR), meaning that they do so under instructions.[1] Negatively, the processing person cannot be considered a processor if they meet the requirements of being a (joint) controller in the sense of Article 4(7) GDPR and Article 26(1) GDPR.

Appropriate Technical and Organisational Measures

The controller may only use “processors providing sufficient guarantees to implement appropriate technical and organisational measures”. According to Recital 81 GDPR, the assessment shall be done "in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of [the] Regulation, including for the security of processing". More precisely, the controller will have to take into “serious consideration” different elements, including the processor’s privacy policies, terms of service, records of processing activities, management and information security policies, reports of external audits as well as recognised international certifications (e.g. ISO 27000 series). The controller should also assess the processor’s expert knowledge and technical expertise of security measures and data breaches, reliability and resources. The reputation of the processor in the market may also be a relevant factor. The obligation to use only processors “providing sufficient guarantees” is a continuous one which does not end with the conclusion of the contract. Rather, the controller should verify the processor’s guarantees through audits and inspections at appropriate intervals.[2]

Privileged Processing in the Controller-Processor-Relation

It is generally accepted that processing in the controller-processor relationship is privileged. This notably means that no legal basis under Article 6 GDPR is required for the sharing of personal data between the two parties. This does not weaken the standard of data protection because the "reduced" material legal requirements are compensated for by technical and organisational measures. This view is supported by the fact that the processor is bound by the controller’s instructions.[3] In addition, Hartung also makes a systematic argument based on the GDPR’s different obligations for processors and controllers. If Article 28 GDPR did not intend any privilege, the rules of Article 28 GDPR, and in particular of Article 28(10) GDPR, would be superfluous as everything could be regulated via the general GDPR rules.[4] Ultimately, this is historically justified by the fact that the privilege already existed under the Directive 95/46/EC as already affirmed by the WP29: "controller and processor and their staff are (…) considered as the ‘inner circle of data processing’ and are not covered by special provisions on third parties."[5]

(2) Engagement of Other Processors by the Processor

Article 28(2) GDPR prevents the processor from engaging with further processors without prior specific or general written authorisation of the controller, because the latter remains responsible for the processing operations. In cases of general written authorisations, the EDPS has recommended that at the time when it is given, processors provide controllers with a list of sub-processors, details as to the type of processing, its relation to specific products or services, and the relevant data protection safeguards that will be in place when processing is undertaken by specific sub-processors.[6]

If the processor decides to change any of the above (e.g. replace a sub-processor), the controller must be informed so that it can object to such change. According to the EDPS, the opportunity to object must be "meaningful".[7] This implies that a ‘take-it -or-leave-it’ scenario, "whereby the sole and exclusive remedy of the controller is to terminate its contract with the processor, would not be a meaningful remedy". This is because, "in the EDPS’ view, if terminating one service means having to terminate an entire suite of services and if a controller does not consider that a viable business option, that would result in the controller having no choice but to accept a sub-processor".[8]

For specific written authorisations, the EDPB has suggested that these could refer to a specific sub-processor for a specific processing activity and at a specific time and if a processor’s request for a specific authorisation is not answered to within the set time-frame, it should be held as denied. Therefore, according to the EDPB the difference between general and specific authorisations has to do with the interpretation of the controller’s non-response to a request. With regard to "a general authorisation, the controller’s silence is to be interpreted as an authorisation. In contrast, with regard to a specific authorisation, the controller’s silence is to be interpreted as a refusal to provide authorisation for the specific sub-processor(s) for which the processor is requesting authorisation".[9]

In both cases, the EDPB has suggested that the relevant communication procedures and timeframes must be included in the controller-processor contract, and that such timeframe must be reasonable depending on the type and complexity of processing. Article 28(4) GDPR contains further obligations of the processor engaging another processor (see below).

(3) Contract or Other Legal Act Binding the Processor

The relationship between controller and processor must be defined by a written contract[10] or another legally binding act. This is necessary to ensure a transparent allocation of responsibilities and liabilities both internally (between controllers and processors) and externally (towards data subjects and regulators).[11] Under Article 28(3) GDPR, the core content of such contract consists of eight elements: (1) the subject-matter, (2) the duration of the processing, (3) the nature[12] and (4) purpose of the processing[13], (5) the type of personal data, (6) the categories of the data subjects and (7) the obligations and rights of the controller.[14] The second part of Article 28(3) GDPR provides a list of elements which must be specifically provided for in the agreement between controller and processor.

(a) Documented Instructions

The contract must oblige the processor to only act on documented instructions from the controller, unless otherwise provided for by Union or Member State law. The provision clarifies that this processing also includes transfers in the sense of Articles 44 et seqq. GDPR. According to the EDPB, these instructions shall refer to each processing activity and can include “permissible and unacceptable handling of personal data, more detailed procedures, ways of securing data, etc. The processor shall not go beyond what is instructed by the controller”.[15] The contract can provide the parties with procedures and templates to communicate “documented” instructions. However, instructions can be given by different means (e.g. e-mail) as long as it is possible to keep records of them. The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR. Where Union or Member State law requires a processor to process the data, it shall be exempt from the obligation to do so only on documented instructions. However, it must then inform the controller of the relevant legal requirement before carrying out the processing operation, unless that law prohibits such information on important grounds of public interest.

(b) Confidentiality

Persons authorised to process personal data are the employees and temporary workers involved in the processing activities. Under Article 28 (3)(b) GDPR, authorised persons are committed to confidentiality. This may be arranged either via a specific contractual agreement or statutory obligations already in place.

(c) Measures Required by Article 32 GDPR

Please refer to the commentary under Article 32 GDPR.

(d) Engaging a Sub-Processor

Processors must act under the instructions of the controller. As explained above, processors should obtain prior specific or general authorisation to use sub-processors or to change arrangements with existing sub-processors. The contract must further regulate these aspects.[16]

(e) Assisting With the Controller's Obligation to Respond to Data Subject's Requests

Dealing with data subjects' requests is a controller’s obligation under Articles 12-22 GDPR. According to Article 28(3)(e) GDPR, the processors shall nevertheless be obliged to assist the controller with the fulfilment of these obligations. Typically, this consists of promptly forwarding any requests received from data subjects. However, in some circumstances the processor will be given more specific, technical duties, especially when it is in the position of extracting and managing the personal data. The contract should list the technical and organisational measures adopted by the processor to enable the assistance.

(f) Assisting With the Controller's Obligations under Articles 32 to 36 GDPR

Under Article 28(3)(f) GDPR, the agreement between the parties provides further details as to how the processor should assist the controller in complying with Articles 32 - 36 GDPR. The reference to Article 32 GDPR indicates that the processor shall provide assistance on how to best implement effective security measures. When a data breach occurs (Articles 33-34 GDPR), the processor shall notify the controller without undue delay. The EDPB also recommends “to include in the contract a specific timeframe (e.g. number of hours) by which the processor should notify the controller, as well as the point of contact for such notifications, the modality and the minimum content expected by the controller.” Moreover, the Board notes that “The contractual arrangement between the controller and the processor may also include an authorisation and a requirement for the processor to directly notify a data breach in accordance with Articles 33 and 34, but the legal responsibility for the notification remains with the controller”.[17] The processor must provide assistance in case the controller carries out a Data Protection Impact Assessment (Article 35 GDPR) or if a prior consultation before a DPA is needed under Article 36 GDPR.

(g) Deleting or Returning Personal Data

The controller can decide whether personal data (including existing copies) shall be deleted or returned after the end of the provision of the processor's services unless the Union or Member State law requires storage of the personal data. If the controller chooses that the personal data be deleted, the processor should ensure that the deletion is performed in a secure manner. The processor should confirm to the controller that the deletion has been completed in keeping with an agreed timescale and manner.[18]

(h) Provision of Compliance Demonstrating Information and Contribution to Audits

According to Article 28(3)(h) GDPR, the processor should provide all information necessary to demonstrate compliance with all the aforementioned obligations to the controller, and allow for as well as contribute to audits, including inspections, conducted by the controller or another auditor.[19]

Obligation to Notify the Controller in Case of Infringing Instructions

The final sentence of Article 28(3) GDPR requires the processor to immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. It is advisable to record the results of the inspections carried out by the person responsible so that, if necessary, proof of these can be provided to the supervisory authorities at a later date.

(4) Sub-Processing

While Article 28(2) GDPR specifies the conditions under which the processor may engage other processors, Article 28(4) GDPR contains the legal consequences of subcontracting. The first sentence obliges the (original) processor to conclude a contract or other legal act with the sub-processor that contains the same obligations as the one concluded with the controller and the processor. Therefore, the sub-processor should also provide sufficient guarantees that it implemented appropriate technical and organisational measures. The EDPB clarified that “this includes the obligation under Article 28(3)(h) to allow for and contribute to audits by the controller or another auditor mandated by the controller”.[20] The second sentence lays out that the (original) processor is liable to the controller for breaches by the sub-processor.

(5) Codes of Conduct

Article 28(5) GDPR gives the processor the option of demonstrating sufficient guarantees through adherence to an approved code of conduct (Article 40 GDPR) or an approved certification mechanism (Article 42 GDPR). Whether this adherence is real and has been demonstrated must be decided in each case, taking into account the specific processing, the code of conduct and/or the certification procedure.[21] Moreover, it should be pointed out that adherence to such systems is only a “element” by which to demonstrate sufficient guarantees.. Thus, an overall assessment of the controller based on all the information and evidence available to them is still required (cf. Recital 81 sentence 2 GDPR).[22]

(6) to (8) Standard Contractual Clauses

Article 28(6) GDPR introduces the possibility to base the contract or other legal act in whole or in part on standard contractual clauses. This option has the potential to create simple and recognised contractual clauses, especially for largely standardised processes and processing such as cloud, hosting and infrastructure services or also software-as-a-service offerings, which creates a balanced and data protection-friendly framework for controllers, processors, as well as data subjects.[23] According to this provision, the use of standard contractual clauses can also be considered in connection with an officially recognised certification granted to the controller or processor pursuant to Articles 42 and 43 GDPR.[24]

There are two ways in which standard contractual clauses can be established. On the one hand, the Commission may lay them down in accordance with the examination procedure referred to in Article 93(2) GDPR (Article 28(7) GDPR). On the other hand, they can also be adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 63 GDPR (Article 28(8) GDPR). The Commission has made use of its power under Article 28(7) GDPR and published standard contractual clauses for the first time with the implementing decision dated 4 June 2021.[25] Previously, standard contractual clauses were published in the "EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism".[26]

(9) Form Requirements

Article 28(9) GDPR states that the contract or the other legal act referred to in Article 28(3)(4) GDPR shall be in writing and clarifies that the electronic form fulfils this requirement.

(10) Consequences in Case of an Excess of the Processor

The processor is not entitled to determine the purposes and means of the processing. If it nevertheless takes over the processing, it is deemed a controller with regard to this processing pursuant to Article 28(10) GDPR. This provision governs cases where the processor unlawfully exceeds its powers because the decision-making power lies with the controller.[27]  Any liability under Articles 82, 83 and 84 remains unaffected. The processor loses its privileged status with regard to liability, and is subject to all the obligations of a controller set out in the Regulation.[28]

Decisions

→ You can find all related decisions in Category:Article 28 GDPR

References

  1. See the commentary on Article 4(8) for more information.
  2. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 31 (available here).
  3. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin numbers 13, 15-16 (C.H. Beck 2020, 3rd Edition).
  4. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).
  5. WP29, ‘Opinion 1/2010 on the concepts of "controller" and "processor"’, 00264/10/EN WP 169, 16 February 2010, p. 6 (available here).
  6. Millard/Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 28 GDPR, p. 131 (Oxford University Press 2020).
  7. EDPS, ‘EDPS Public Paper on Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services’, 2 July 2020, margin number 71 (available here).
  8. Millard/Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 28 GDPR, p. 131 (Oxford University Press 2020).
  9. Millard/Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary [Update of Selected Articles - May 2021] Article 28 GDPR, p. 132 (Oxford University Press 2020)
  10. Without prejudice to "any individual contract between them, the controller and processor can also manage the requirements of Article 28(3) and (4) via standard contractual clauses that the European Commission has issued or a supervisory authority has adopted under Article 28(8)". See, Millard/Kamarinou, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 28 GDPR, p. 606 (Oxford University Press 2020).
  11. See Millard/Kamarinou, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 28 GDPR, p. 606 (Oxford University Press 2020).
  12. With regard to the nature of processing, the processor may be given some leeway as to the means of processing. Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 20 (C.H. Beck 2018, 2nd Edition) with reference to WP29, ‘Opinion 1/2010 on the concepts of "controller" and "processor"’, 00264/10/EN WP 169, 16 February 2010, p. 17 (available here).
  13. The description of the purpose has to be concrete and conclusive. This is necessary to define the roles and the controller's responsibilities. The processor must not have any leeway in this respect. See, Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 65 (C.H. Beck 2020, 3rd Edition); Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 20 (C.H. Beck 2018, 2nd Edition).
  14. To determine the rights and obligations of the controller, the following aspects, for example, must be taken into account. According to the GDPR, only the controller decides on deletion, correction and access. In particular, the controller is also responsible for checking the general permissibility and lawfulness of processing and must issue sufficient instructions. In particular, this includes the duty of the controller to appear as such and to create transparency for the data subject. See, Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 66 (C.H. Beck 2020, 3rd Edition).
  15. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 35 (available here).
  16. See Paragraph 4 on “Sub-Processing” below.
  17. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 39 (available here).
  18. In these exact terms: EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 40 (available here).
  19. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 78 (C.H. Beck 2020, 3rd Edition).
  20. EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.0), p. 40 (available here).
  21. Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 31 (C.H. Beck 2018, 2nd Edition).
  22. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 25 GDPR, margin number 59 (C.H. Beck 2020, 3rd Edition).
  23. Bertermann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 31 (C.H. Beck 2018, 2nd Edition).
  24. Klug, in Gola, Datenschutz-Grundverordnung, Article 28 GDPR, margin number 16 (C.H. Beck 2018, 2nd Edition).
  25. Commission, Implementing Decision (EU) 2021/915 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, 4 June 2021 (available here).
  26. Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism (available here)
  27. Spoerr, in Wolff, Brink, BeckOK Datenschutzrecht, Article 28 GDPR, margin number 104 (Beck 2021, 39th Edition).
  28. Spoerr, in Wolff, Brink, BeckOK Datenschutzrecht, Article 28 GDPR, margin number 104 (Beck 2021, 39th Edition).