Article 28 - General Data Protection Regulation Act

Published on : 29 Mar 2022

Article 28 General Data Protection Regulation Act Explained


The General Data Protection Regulation Act (GDPR) requires Data Controllers to establish a written agreement with the Data Processor stating the terms and conditions for the data processing activity. So, before getting into a contract with the Data Processor, a Data Processing Agreement must be signed between both parties regarding the conduct of processing personal data.

The terms, conditions, and requirements of the Data Processing Agreement are specified in the GDPR Article 28. Article 28 of GDPR outlines the requirements and provides guidelines for Data Processors highlighting their responsibilities towards ensuring the privacy and security of personal data. Elaborating the requirement by Article 28 we have explained what is expected of the Data Processor to ensure GDPR Compliance.

What is Article 28 of GDPR? 

GDPR Article 28 outlines requirements for Data Processor in terms of processing personal data. It further requires Data Processors to follow the documented instructions from the Data Controllers for processing the data. Under special circumstances as per the law or legal requirement, the Data Processor must notify the Data Controller of the legal requirement, before processing the data.

This requirement also applies to the transfer of personal data to a third country or international organization. Under any circumstance, the Data Processor must ensure they are authorized to process the data while meeting the security and privacy requirements of GDPR. The Data Processor must take all measures required as per Article 32 ensuring the Security of Processing Personal Data. That said, given below are the requirements that Data Processors are expected to meet, as specified in Article 28 of GDPR. 

Selection of Data Processor

Article 28 Paragraph 1 of GDPR clearly states the criteria for the selection of a Data Processor. The Data Controller must only engage with Data Processors who have sufficiently implemented appropriate technical and organizational security measures that meet the requirement of GDPR. This is especially while they ensure the protection of the rights of the data subject. Data Controllers must work with only those Data Processors who can guarantee the implementation of sufficient security measures that meets the requirements of GDPR.

Engaging with Sub Data Processors

The Data Processor is required to engage with Sub Data Processors only based on the approval from the Data Controller. GDPR Article 28 paragraph 2 states that the Data Processor shall not engage with another processor without the prior specific or general written authorization of the controller.

Further, incase by the general written authorization, the Data Processor engages with Sub Processor, then the Data Processor needs to inform the controller of the intended changes relating to the involvement of the other processors, thereby allowing the Data controller an opportunity to object to such changes if they are deemed unfit. 

Governance of Processing Activity

GDPR Article 28 paragraph 3 requires the Data Controller to establish and sign a contract with the Data Processor stating the duration of the processing, the nature, and purpose of the processing, the type of personal data to be processed and categories of data subjects, and the obligations and rights of the controller. The contract further includes-

  • The requirement of conducting the data processing activity should be based on the documented instruction from the Data Controller.
  • The Data Processor should ensure access to the personal data to only those personnel committed to confidentiality or abide by the statutory obligation of confidentiality of data. 
  • Data Processors are expected to implement technical and organizational measures as outlined in Article 32 of GDPR
  • Data Processors will not engage with other Sub Data Processors without the prior consent of the Data Controller. 
  • In case the Data Processor hires a Sub-processor, the Sub Processor must flow through the obligations and ensure that the Data Processor’s obligations are enforced. 
  • The Data Processors are required to or rather expected to fulfill the Data Controller’s obligation to respond to the requests exercised by the data subject under the data subject’s rights in Chapter III. 
  • Data Processors are expected to assist Data Controllers in ensuring compliance with the obligations according to Articles 32 to 36 taking into account the nature of processing and the information available to the Data Processor.  This includes assistance in ensuring 
    • Article 32 GDPR– Security of Processing 
    • Article 33 GDPR – Notification of a Personal Data Breach to Supervisory Authority.
    • Article 34 GDPR– Communication of a Personal Data Breach to the Data Subject 
    • Article 35 GDPR – Data Protection Impact Assessment 
    • Article 36 GDPR – Prior Consultation with Supervisory Authority 
  • On the advice of the Data Controller delete or return the personal data 
  • Provide the Data Controller with any information demonstrating the Data Processor’s compliance with GDPR and further allow contributing to audits, including inspections, conducted by the controller or another auditor mandated by the Data Controller. 

Contractual Obligation on Processor

If and when the Data Processor engages with a Sub Processor, they need to ensure that the Sub Processor is bound by the same terms and conditions in the contract between the Data Processor and Data Controller. The Data Process is liable to ensure that the Sub Processor performs its activities in compliance with the requirements of GDPR and meets all the obligations. 

Approved Code of Conduct

The Data Processor is expected to comply with the approved code of conduct as outlined in Article 40 GDPR or an approved certification as outlined in Article 42 GDPR to demonstrate they offer sufficient guarantees to securely process personal data.

Standard Contractual Clauses

As per the standard contractual clause the contract between the Data Controller and the Data Processor can be in whole or in parts as referred to in paragraphs 7 and 8 of Article 28 GDPR and as a part of the certification provided to the controller or processor according to Articles 42 GDPR and Article 43 GDPR.

Commission Adopting Standard Contractual Clauses

The GDPR Regulations authorizes the commission to adopt standard contractual clauses allowing Data Controllers to use with Data Processors as referred to in paragraph 3 and 4 of Article 28 GDPR and in accordance with Article 93 GDPR which is Committee Procedures, paragraph 2.  

Supervisory Authority Adopting Standard Contractual Clauses

The supervisor authorities are authorized to adopt standard contractual clauses based on the consistency mechanism referred to in GDPR Article 63 and paragraphs 3 and 4 of Article 28 GDPR.

Written Contracts

The General Data Protection Regulation requires the contract, agreement, or any other legal act referred to in paragraphs 3 and 4 of GDPR Article 28 between the Data Processor and the Data Contractor shall be in writing, including in electronic form.

Data Processor Considered as Data Controller

In case where the Data Processor determines the purpose of Data Processing, the Data Processor shall be considered as a Data Controller with regards to that processing activity without prejudice to Article 82, Article 83 & Article 84 of GDPR.

(Source – EUR-Lex)

For more details on GDPR Regulation or any queries, you can contact us or drop us a mail at [email protected]. You can even read our other articles, webinars, and expert videos explaining the GDPR Regulation in detail and ways to achieve compliance. For guidance and consultation relating to the GDPR Compliance you can avail our FREE ONE SESSION OF CONSULTATION WITH OUR EXPERTS!

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.