Art. 28 GDPR

Art. 28 GDPR regulates the relationship between the data controller and the data processor. Data controllers can only cooperate with data processors who can guarantee that they implement appropriate technical and organizational measures.

What is Art. 28 GDPR?

The General Data Protection Regulation (GDPR) requires data controllers to have a written agreement with the data processor setting out the terms and conditions of the data processing activity. Thus, before entering into a contract with the data processor, both parties must sign a data processing agreement on the performance of the processing of personal data.

The terms, conditions and requirements of the data processing agreement are set out in Art. 28 GDPR. Art. 28 GDPR outlines the requirements and provides guidance for data processors, highlighting their responsibility to ensure the privacy and security of personal data. The data controller must be able to demonstrate the necessary technical knowledge, expertise and resources to provide adequate safeguards, according to Art. 28 GDPR.

The Art. 28 GDPR and its requirements also apply to the transfer of personal data to a third country or an international organization. The data processor must ensure in all circumstances that it is authorized to process the data while complying with the security and data protection requirements of the GDPR. The data processor must take all measures required under Article 32 to ensure the security of the processing of personal data.

What is the difference between data controller and data processor?

According to Article 28 of the GDPR, the term “data controller” means any natural or legal person involved in determining the purposes and means of the processing of personal data, while the term “data processor” means any natural or legal person involved in processing personal data on behalf of the data controller. In simple terms, the data processor processes personal data on behalf of the data controller and not for its own purposes. While the data processor must follow some rules to ensure that the data is processed properly, ultimately the data controller is responsible for the personal data as defined by law (Article 28 GDPR).

Selection of the data processor

Art. 28 GDPR clearly sets out the criteria for the selection of a data processor. The data controller may only work with data processors who have taken appropriate technical and organizational security measures that meet the requirements of the GDPR. This applies in particular if they ensure the protection of the rights of data subjects. Data controllers may only cooperate with data processors that can guarantee the implementation of sufficient security measures that comply with the requirements of the GDPR.

What does Art. 28 GDPR state?

According to Art. 28 GDPR, the data controller may only use data processors that can provide sufficient guarantees that the processing activities comply with the provisions of the GDPR. 2.

  1. the data processor may not use other data processors (for the agreed processing activities) without the consent of the data controller (Art. 28 GDPR).

  2. processing by the data processor should be governed by a contract or a legally binding agreement between the data processor and the data controller, in accordance with Art. 28 GDPR, specifying details such as the duration of the processing, the purpose, the categories of data processing and the obligations of the data controller, and in particular specifying the following:

  • the authorized persons who process the data are obliged to maintain confidentiality
  • obliged to apply the necessary security measures
  • obliged to assist the data controller in fulfilling the obligations relating to user rights (e.g. the right to be forgotten)
  • obligated to provide the data controller with all information necessary to demonstrate compliance with the regulations
  1. if the Data Processor engages another Data Processor on behalf of the Data Controller, the binding agreement and data protection standards entered into between the Data Controller and the Data Processor shall also apply to such other Data Processor (Article 28 GDPR). If this data processor does not comply with these obligations, the original data processor remains liable to the data controller.

  2. the contract on the above points must be in writing (including electronic form) in accordance with Art. 28 GDPR.

  3. if the Data Processor violates this Regulation by using its own methods for processing User Data, it shall be considered as a Data Controller in relation to that specific processing (Art. 28 GDPR).

Appropriate security measures (Art. 28 GDPR)

According to Art. 28 GDPR paragraph 3, the contract must require the processor to implement all security measures necessary to comply with the requirements of Article 32 GDPR on security of processing.

Both the data controller and the processor are required by Article 32 to implement appropriate technical and organizational measures to ensure the security of the personal data they process, including, where applicable:

  • encryption and pseudonymization
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • The ability to restore access to personal data in the event of an incident; and
  • Procedures for periodically testing and evaluating the effectiveness of the measures.

Codes of conduct and certifications can also help processors provide sufficient guarantees that their processing complies with the GDPR.

Provisions on the end of the contract according to Art. 28 GDPR

According to Art. 28 GDPR paragraph 3, the contract must provide that the processor at the end of the contract:

At the discretion of the data controller, delete or return to the data controller all personal data that it has processed on its behalf; and Erase existing copies of the personal data. It should be noted that the erasure of personal data must be carried out in a secure manner in accordance with the security requirements of Article 32.

The contract must include these conditions to ensure the protection of personal data even after the contract ends. Thus, this paragraph of Article 28 GDPR takes into account the fact that it is ultimately up to the data controller to decide what to do with the personal data processed once the processing is completed. Provided that appropriate safeguards are in place, such as the immediate cessation of the use of the data, it may be acceptable that the data is not deleted immediately if the retention period is reasonable and the data is subsequently deleted as soon as possible, e.g. as part of the next deletion/destruction cycle of the processor.

Contracts can be enjoyable. Get started with fynk today.

Companies using fynk's contract management software get work done faster than ever before. Ready to give valuable time back to your team?

Schedule demo

By using our website you agree to our privacy policy and cookie policy .