What Is GDPR Article 28?

Article 28 of the GDPR describes the duties of organizations thatprocess personal data. This article defines processors as parties that work with data on behalf of and under the authority of controllers.

Article 28 begins by stating that controllers should only use processors that guarantee implementation of the technical and organizational measures necessary to protect the rights of data subjects. Subsequent paragraphs cover the issue of third party sub-processors and contracts or data processing agreements.

GDPR Article 28 specifies that processors who determine the purposes or means of processing personal data infringe on this regulation and can be liable as controllers. The responsibility of the controller is set forth in Article 24 and expanded on throughout Chapter 4 of the GDPR.

What Are Data Processors and Controllers?

Data processors are entities or organizations that process data on behalf of controllers. The main distinction between a processor and a controller is that controllers use data for their own purposes, whereas processors enter into contractual agreements to only use data based on documented instructions from controllers.

In most cases, when a business client uses a digital marketing platform, the business client is the data controller and the marketing company is the data processor. In the case of cloud services, the users of these services are controllers and cloud services providers are processor vendors.

The distinction between controllers and processors is clear even when multiple parties process data. For instance, joint controllers both process data for their own purposes. Sub-processors can also process data on behalf of controllers and processors, but Article 28 GDPR requirements state that a processor cannot engage another processor without prior authorization from a controller.

What Is a Data Processing Agreement?

A data processing agreement is a contract that specifies the terms on which a controller engages the services of a processor. Stakeholders can write these agreements from scratch or use templates. Popular processors often include DPAs in terms of service.

If a processor vendor does not provide a DPA to a controller, it is the duty of the controller to issue a DPA. These contracts articulate the roles and responsibilities of both parties and establish measures for enforcing data privacy regulations throughout the duration of contracts.

DPAs clarify the conditions on which controllers and processors operate, from confidentiality, security and the protection of the rights of data subjects to the duties of a processor to assist a controller. It is important to note that not all third parties engaged by controllers are processors. The manner in which an entity uses data determines their role with regard to GDPR compliance.

What Should a DPA Cover?

According to GDPR Article 28, a DPA must include instructions for the processing of data provided by the controller to the processor. These agreements must specify the subject matter, duration, nature and purpose of processing as well as the type of personal data, categories of data subjects and the obligations and rights of the controller.

DPAs also require a duty of confidence. This aspect of the agreement requires all parties involved in processing data to commit to confidentiality, with the exception of any parties already obligated to confidentiality by statute.

Other important elements of a DPA include specifications regarding the use of sub-processors, the rights of data subjects, requirements for processors to assist controllers, end-of-contract provisions and willingness to demonstrate compliance with Article 28 through audits or inspections. An end-to-end information security platform that allows forcontinuous monitoringcan support these requirements.

Who Must Comply With GDPR Article 28?

Processors must comply with Article 28 GDPR, and the requirements in this article also extend to controllers. A processor that acts outside of the terms of a DPA or violates this agreement could assume the same level of liability as a controller.

For example, a processor who engages sub-processors without prior written authorization from a controller is determining the purposes or means of processing and is a controller with respect to these decisions.

The GDPR applies to companies based in the European Union and European Economic Area as well as companies that control or process the personal data of subjects in these locations. The United Kingdom is subject to the Data Protection Act 2018, which is an implementation of the GDPR.

Which Other GDPR Articles Are Relevant to Article 28?

The GDPR expounds the rights of data subjects and the responsibilities of controllers and processors. Article 28 specifically references several other articles in the GDPR.

The third paragraph of Article 28 references Articles 32 through 36. These articles in Chapter 4 address the security of processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject, data protection impact assessment and prior consultation.

The fifth paragraph refers to Article 40 on codes of conduct and Article 42 on certification as guarantees for the role of the processor. This paragraph also references Chapter 10, Article 93 on examination procedures. The final paragraph of Article 28 references several articles in Chapter 8, including Article 82 on the right to compensation and liability, Article 83 on general conditions for imposing administrative fines, and Article 84 on penalties.