image

EU GDPR – Article 28 (Processor)

Posted on January 20, 2026 by Sarah Aamir
Share
RSS
Follow by Email
Facebook
X (Twitter)
Pinterest
LinkedIn
WhatsApp
Abstract

EU GDPR Article 28 focuses on the responsibilities and obligations surrounding data processors, entities that process personal data on behalf of data controllers. This article ensures that controllers only engage processors that provide sufficient guarantees to implement appropriate technical and organizational measures (TOMs) to protect personal data. By regulating the controller–processor relationship, Article 28 strengthens accountability, reduces data protection risks, and ensures consistent GDPR compliance across third-party service providers. In an increasingly outsourced and cloud-driven data ecosystem, Article 28 plays a critical role in safeguarding the rights and freedoms of data subjects.

Explanation

Under GDPR, personal data is often processed by third parties such as cloud providers, IT vendors, payroll services, marketing agencies, and analytics platforms. Article 28 governs this relationship by setting strict conditions under which a controller may appoint a processor.

A key requirement is that processors must offer “sufficient guarantees” that they can comply with GDPR standards. These guarantees are not abstract promises; they must be demonstrable through documented security measures, compliance certifications, internal policies, and operational controls.

Additionally, Article 28 mandates that processing must be governed by a legally binding contract or data processing agreement (DPA). This contract must clearly define the subject matter, duration, nature, and purpose of processing, as well as the obligations and rights of both parties.

Importantly, processors are not free to act independently. They may process data only on documented instructions from the controller, unless required by EU or Member State law. This reinforces the controller’s primary responsibility for lawful processing while ensuring processors remain accountable for their actions.

Key Points
  1. Controller Responsibility: Controllers may only engage processors that can demonstrate GDPR compliance through adequate safeguards and practices.
  2. Mandatory Data Processing Agreement (DPA): A written contract must exist, outlining scope, purpose, duration, and security obligations.
  3. Technical and Organizational Measures (TOMs): Processors must implement security measures such as encryption, access controls, and incident response plans.
  4. Processor Confidentiality: Personnel authorized to process personal data must be bound by confidentiality obligations.
  5. Sub-Processor Controls: Processors may not engage sub-processors without prior written authorization from the controller.
  6. Assistance to Controllers: Processors must assist controllers with data subject requests, breach notifications, and DPIAs.
  7. Data Deletion or Return: Upon termination of services, processors must delete or return personal data unless legally required to retain it.
  8. Audit and Compliance Rights: Controllers have the right to audit processors and verify compliance.
General Activation Steps

To effectively activate and comply with Article 28, organizations should follow these structured steps:

  1. Identify Processing Activities: Map all third-party vendors that process personal data on behalf of the organization.
  2. Vendor Due Diligence: Assess processors for GDPR readiness, including security certifications (ISO 27001), privacy policies, and risk assessments.
  3. Draft or Review DPAs: Ensure all processor relationships are governed by GDPR-compliant data processing agreements.
  4. Define Processing Instructions: Clearly document what data may be processed, for what purpose, and under which conditions.
  5. Monitor and Audit: Regularly review processor performance, conduct audits, and request compliance evidence.
  6. Sub-Processor Oversight: Maintain visibility and control over any sub-processors used by the primary processor.
  7. Incident Management Integration: Align breach notification procedures between controllers and processors.
Use Cases
  1. Cloud Service Providers: Organizations using cloud hosting services rely on Article 28 to ensure providers implement robust encryption, access controls, and data isolation measures.
  2. Payroll and HR Outsourcing: When employee data is processed by payroll vendors, Article 28 ensures lawful handling, confidentiality, and secure data retention practices.
  3. Marketing and Analytics Platforms: Digital marketing agencies processing customer data must act strictly under controller instructions and assist with data subject rights.
  4. IT Support and Managed Services: IT vendors accessing systems with personal data must be contractually bound to confidentiality and security requirements.
  5. Healthcare and Insurance Processing: Sensitive personal data processed by third-party vendors requires heightened safeguards under Article 28 obligations.
Dependencies

Article 28 does not operate in isolation. Its effectiveness depends on coordination with several other GDPR provisions:

  1. Article 4 – Defines “controller” and “processor”
  2. Article 5 – Data protection principles (lawfulness, minimization, integrity)
  3. Article 24 – Controller responsibility
  4. Article 30 – Records of processing activities
  5. Article 32 – Security of processing
  6. Article 33 & 34 – Personal data breach notification
  7. Article 44–49 – International data transfers

Together, these articles form a comprehensive compliance framework governing outsourced data processing.

Tools and Technologies

To support Article 28 compliance, organizations commonly rely on the following tools and technologies:

  1. Vendor Risk Management Platforms – Assess and monitor processor compliance
  2. Contract Management Systems – Store and manage DPAs and legal agreements
  3. Data Encryption Tools – Protect data at rest and in transit
  4. Access Control Systems – Limit processor access based on role and necessity
  5. Audit and Compliance Software – Track assessments, certifications, and reports
  6. Incident Response Platforms – Coordinate breach notifications and investigations
  7. Privacy Management Tools – Support data subject rights and processor collaboration
Let’s Wrap

EU GDPR Article 28 is a cornerstone of modern data protection governance. It ensures that when personal data is processed by third parties, accountability does not diminish but instead extends through clear contracts, enforceable obligations, and continuous oversight.

By requiring controllers to select processors with sufficient guarantees and by imposing strict operational duties on processors, Article 28 builds trust across the data processing ecosystem. In an era of outsourcing, cloud computing, and global service providers, this article protects data subjects while enabling organizations to operate efficiently and lawfully.

Ultimately, effective compliance with Article 28 is not just a legal obligation, it is a strategic investment in data security, transparency, and long-term organizational resilience.

For further reading:

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 4 =

Recent Posts

Archives

Categories