A Complete Breakdown of GDPR Article 28

August 28, 2024
A Complete Breakdown of GDPR Article 28

Our mission is to make data protection easy for people: easy to understand and easy to read about. We do that through our blog posts, making it easy for the end-user to understand personal data protection.

To ensure no personal data of individuals are misused during processing, businesses holding this data must comply with data protection regulations unique to a state/country. General Data Protection Regulation (GDPR) – enacted and enforced by the European Union – acts as the benchmark of these regulations. 

This stature is mainly driven by the comprehensive scope, stringent data protection principles, and non-compliance penalties with GDPR. GDPR Article 28, enforcing obligations on data controllers and processors, further reinforces GDPR’s status as the standard for regulations worldwide.

In this article, we will have a deeper dive into GDPR Article 28 and how it ensures the protection of data subjects’ privacy. But first, let’s have a glimpse of what GDPR is.

What is GDPR

Enacted on April 27, 2016, and officially implemented on May 25, 2018, GDPR is a comprehensive set of data protection legislation imposed upon the businesses inside and outside the European Union that deal with the personal data of the residents of the EU and European European Economic Area (EEA).

GDPR ensures all personal data of data subjects are collected, stored, and retained for lawful purposes only and with proper consent from individuals. While it empowers individuals with more privacy protection rights, it imposes additional responsibility on businesses that hold users’ personal information.

GDPR mandates organisations to abide by its standards. It’s not just a legal obligation for them; rather, it helps businesses demonstrate their commitment to protecting users’ data privacy. It becomes easier for GDPR-compliant businesses to reinforce their brand credibility, thereby, shifting the paradigm to much higher customer engagement and retention rates.

That said, any non-compliance can cause them to face serious repercussions. Based on their degree of violation of GDPR standards, two types of fines can be levied on businesses as penalties: Up to €10 million, or 2% of their yearly global turnover – whichever is higher. The second tier is up to €20 million, or 4% of their annual global turnover – whichever is higher. These two tiers of fines are designed to keep the imposed penalties are on par with severity of the infringement

GDPR describes the regulations for data processing and data protection in its 99 articles. Among these, article 28 holds extra significance as it regulates the relationships between data processors and data controllers and mandates organisations to implement stringent data security measures, regularly monitor compliance, and have data processing agreements in place.

GDPR Article 28

Article 28 in the GDPR framework mandates data controllers and data processors to ink a contract.

Simply put, data controllers are the organisation holding customers’ personal information, and data processor is any third-party service that processes the data of those customers on behalf of the data controller.

When is a contract needed?

A contract is a legal obligation whenever:

  • a third-party data processor processes users’ data on a data controller’s behalf.

            An example of this case is data controllers using a third-party service provider such as        

           CRM or payroll systems data processors that process data.

  • a processor engages another service also known as a subprocessor to help with data processing activities.

The contract should clearly define the roles and responsibilities of both parties regarding the sharing and processing of personal information of users.

GDPR Article 28 in a Nutshell

You can check the Article 28 GDPR here in detail. We are highlighting the key points to help you jumpstart with your GDPR compliance journey:

  • GDPR mandates data controllers to assess if the third-party processor they intend to use for processing data on their behalf can “sufficiently guarantee” compliance with GDPR standards.
  • The processor can use a sub-processor to help them with the agreed-upon processing activities of data controllers only if the data controller permits.
  • A written contract should be signed by both the data controller and the processor regarding the data processing activities.

Article 28(3) clearly defines the key details about data processing that should be included in the contract:

  • the subject matter (the purpose of data processing) and duration of data processing (for how long data will be processed by the data processor on the belief of the data controller);
    • the nature and purpose of the processing;
    • the type of personal data being collected and processed and the categories of data subject this data belongs to; and
    • the rights and obligations imposed upon the data controller
  • This contract acts as a legal agreement that should clearly state that the processor:
  • guarantees that the employees handling the data processing activities are committed to upholding the confidentiality of the personal data of the data subjects.
  • implements stringent security measures – both technical and organisational – to comply with the requirements detailed in GDPR Article 32. Please note, that both data controllers and data processors must adhere to Article 32 and implement security measures that ensure integrity, confidentiality, and security of users’ personal data during processing. The security measures should include:
    • pseudonymisation and data encryption;
    • Data recovery capability to ensure data can be restored even if an incident occurs
    • Continuous security testing and assessment to effectively test and validate the efficacy of the implemented security measures.
  • is committed to helping the data controller effectively address and meet their responsibilities regarding the rights of data subjects, for example, the right to restrict data processing
  • provides data controllers with all the essentials to exhibit they comply with GDPR. The data controller may also need this information for auditing or inspection purposes.
  • If the data processor enlists a subprocessor for the data controller, the terms of the agreement and data privacy standards set between the processor and the data controlled will automatically be applied to that subprocessor. The processor will be held accountable for any non-compliance at the subprocessor’s end. This provision acts as a cornerstone of enabling a chain of transparent and responsible data processing.
  • The contract/agreement should be in written (also electronic) form.
Thomas Lambert
Latest posts by Thomas Lambert (see all)