Article 28 of GDPR: The Essentials for Data Processors

Vimal Mohan

Vimal Mohan

Sep 18, 2022

what is article 28 gdpr

Article 28 GDPR (General Data Protection Regulation) discusses the written contract between a controller and a processor (or a sub-processor). This contract legally allows processors to process personal data on behalf of the Controller.

This contract is also known as a Data Processing Agreement (DPA).

Here’s an example of a standard DPA and the information in it.

article 28 gdpr

If your organization is a Data Processor, then you must comply with GDPR’s Article 28 by providing evidence of the required guarantees in the framework. In this article, we shed light on data Processors’ requirements and the steps to achieve that status.  And if you are a Controller, we’ve got you covered too.

As a Controller, it is your responsibility to legally obtain a contract signed by the Processor. The contract should state the roles and obligations the Processor must align with as well as include the rights of the Controller.

To simplify this, the Controller is ultimately responsible for the personal data in use, and it is their responsibility to ensure that the processors are on-boarded the legal way.

What is Article 28 GDPR?

Article 28 of the GDPR discusses the written contract between a data controller and a processor (or a sub-processor) and establishes the legally-binding boundaries of their relationship.

As per Article 28 GDPR: When the Processor agrees to process personal data on the Controller’s behalf. For instance, 

This is also applicable when a Processor outsources the data processing activity to a Sub-Processor.

gdpr article 28

Data processors must follow all the written guidelines passed on by the Controller when processing their data.

Under exceptional circumstances, as per the local governance rules, the Processor is supposed to notify the Controller about the legal requirement. The Controller has to be notified before the Processor processes their data.

Article 28 is valid even when personal data is transferred to a processor in a third country. The Processor should always ensure that they are GDPR compliant with Article 32 GDPR. This means they have the technical and organizational measures in place to ensure the security of personal data.

It is imperative to know that Article 28 is drafted to define the regulations a data processor has to abide by to remain on the right side of GDPR compliance.

Article 28 of GDPR paragraph 1: Selection of Data Processor

Paragraph 1 of Article 28 GDPR talks about the selection criteria the Controller must adhere to when picking a processor to process their data. 

The Controller must work only with processors who can produce evidence of their technical and organizational safeguards to ensure data integrity and that the measures deployed to meet the GDPR requirements.

This is to ensure that users’ data rights are not violated.

Article 28 GDPR paragraph 2: Engaging with Sub Data Processors

Data processors can involve subprocessors in the data processing activities only after a controller’s written consent/approval. In instances where written consent is levied, the Processor is required to inform the Controller of the degree of involvement of the sub-processor in the processing activity. This enables the Controller to reject/object to the participation of the sub-processor if they find the Processor unfit to execute the task with the desired efficiency.

Article 28 GDPR paragraph 3: Governance of Processing Activity

Paragraph 3 of GDPR Article 28 requires the Controller to enforce a contract with the Processor where the contractor states the duration for which the data will be processed, the nature of the data, defines the purpose of processing, the type of data that will be processed, include the categories of data subjects, and list all the rights and obligations the Controller is entitled to.

Here’s a nine-point description of paragraph 2 of GDPR Article 28

1) The Processor’s GDPR processing activities should be in line with the written requirements passed on by a controller.

2) A data processor should allow personal data access only to those committed to the obligation of data confidentiality.

3)Data processors must implement and showcase all the technical safeguards mentioned in Article 32 of GDPR.

4) Data processors will not involve a sub-processor in the mix without the written approval of the Controller. 

5) When a data processor includes a sub-processor in the data processing activity, the sub-processor is also required to adhere to all the requirements and obligations that apply to a processor.

6) According to the Data Subject’s rights of access, the Processor is required to respond and deliver to all the obligations of the Controller.

7) Data processors are expected to assist controllers in ensuring compliance. This is done after considering the Processor’s access to information and the nature of data processing that they participate in. Therefore, they are obligated to extend their assistance to remain compliant with Article 32, Article 33, Article 34, Article 35, and Article 36.

8) Processors are required to delete data when a controller makes a written request about it. In a few instances, they could also be asked to return the data.

9) The Processor will have to present a detailed data mapping of their systems and measures to ensure GDPR compliance. They are also expected to forward their periodic audit reports, participate in inspections and comply with independent audits run by the Controller or an auditing body appointed by the Controller.

Do I need a Data Processing Agreement?

Yes, you will need a Data Processing Agreement or a contract, even if you are a controller, Processor, or sub-processor.

Controllers must ensure that their processors sign the contract and are informed of their obligations and responsibilities before processing personal data.

A processor will issue a contract or a DPA to a sub-processor when they get onboarded to the processing activity. This contract legally binds the sub-processor to instil the technical and organizational requirements mandated by GDPR to achieve compliance. 

Official Contents of the Article 28 of the GDPR

Here’s a quick sneak peek of the contents of GDPR’s official draft of GDPR Article 28 and how it affects Controllers and Processors

1. Where the processing is carried out on behalf of a controller, the Controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The Processor shall not engage another processor without the prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law that is binding on the Processor with regard to the Controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the Controller. That contract or other legal act shall stipulate, in particular, that the Processor:

(a) processes the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

(c) takes all measures required pursuant to Article 32

(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor

(e) taking into account the nature of the processing, assists the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III

(f) assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the Processor

(g) at the choice of the Controller, deletes or returns all the personal data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data

(h) makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller

With regard to point (h) of the first subparagraph, the Processor shall immediately inform the Controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Where a processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in the contract or other legal act between the Controller and the Processor as referred to in paragraph 3 shall be imposed on that other Processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other Processor fails to fulfil its data protection obligations, the initial Processor shall remain fully liable to the Controller for the performance of that other Processor’s obligations.

5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

6. Without prejudice to an individual contract between the Controller and the Processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the Controller or Processor pursuant to Articles 42 and 43.

7. The Commission may lay down standard contractual clauses for the matters referred to in paragraphs 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).

8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the Processor shall be considered to be a controller in respect of that processing.


What is the GDPR in simple terms?

GDPR is a law by the European council to protect the digital privacy rights of European citizens living within and outside of the EU region. To comply, businesses have to abide by a set of rules and regulations. The GDPR brings the power back to the user and enables the user to decide how their personal data is processed.

What data subject right is absolute?

GDPR empowers its data subjects (individuals within the EU region) with six rights. These are designed to enable users to decide how their personal data is processed. While few are subject to variables, every data individual’s absolute right is to stop their data from being used for direct marketing efforts. 

Vimal Mohan

Vimal Mohan

Vimal is a Content Lead at Sprinto who masterfully simplifies the world of compliance for every day folks. When not decoding complex framework requirements and compliance speak, you can find him at the local MMA dojo, exploring trails on his cycle, or hiking. He blends regulatory wisdom with an adventurous spirit, navigating both worlds with effortless expertise

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.