§ GDPR · Article 28
GDPR Article 28: Obligations, Deadlines & Penalties
At a glance
Article 28 of the GDPR imposes 17 obligations on controller, processor. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 28
Obligation 1
The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures to meet Regulation requirements and ensure data subject rights protection.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
controller
- Action required
-
use
- Deadline
-
—
- Penalty
-
—
Obligation 2
The processor shall not engage another processor without prior specific or general written authorisation of the controller.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
obtain authorisation
- Deadline
-
prior to engagement
- Penalty
-
—
Obligation 3
In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
inform
- Deadline
-
prior to changes
- Penalty
-
—
Obligation 4
Processing by a processor shall be governed by a contract or other legal act that is binding on the processor and sets out subject-matter, duration, nature, purpose, data types, categories, and obligations/rights.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
controller
- Action required
-
establish contract
- Deadline
-
—
- Penalty
-
—
Obligation 5
The processor shall process personal data only on documented instructions from the controller, including regarding transfers to third countries, unless required by law.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
process
- Deadline
-
—
- Penalty
-
—
- Exemptions
- required by Union or Member State law
Obligation 6
If required by law to process data contrary to controller instructions, the processor shall inform the controller of that legal requirement before processing, unless prohibited by law.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
inform
- Deadline
-
before processing
- Penalty
-
—
- Exemptions
- if law prohibits such information on important grounds of public interest
Obligation 7
The processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 8
The processor shall take all measures required pursuant to Article 32.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
take measures
- Deadline
-
—
- Penalty
-
—
Obligation 9
The processor shall respect the conditions referred to in paragraphs 2 and 4 for engaging another processor.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
respect conditions
- Deadline
-
—
- Penalty
-
—
Obligation 10
The processor shall assist the controller by appropriate technical and organisational measures for the fulfilment of the controller's obligation to respond to requests for exercising data subject rights.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
assist
- Deadline
-
—
- Penalty
-
—
Obligation 11
The processor shall assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
assist
- Deadline
-
—
- Penalty
-
—
Obligation 12
At the choice of the controller, the processor shall delete or return all personal data to the controller after the end of the provision of services and delete existing copies.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
delete or return
- Deadline
-
after end of services
- Penalty
-
—
- Exemptions
- unless Union or Member State law requires storage
Obligation 13
The processor shall make available to the controller all information necessary to demonstrate compliance with obligations and allow for audits conducted by the controller or mandated auditor.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
make available
- Deadline
-
—
- Penalty
-
—
Obligation 14
The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other data protection provisions.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
inform
- Deadline
-
immediately
- Penalty
-
—
Obligation 15
Where a processor engages another processor, the same data protection obligations shall be imposed on that other processor by way of a contract or other legal act.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
impose obligations
- Deadline
-
—
- Penalty
-
—
Obligation 16
The initial processor shall remain fully liable to the controller for the performance of the other processor's obligations if that other processor fails to fulfil them.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
processor
- Action required
-
remain liable
- Deadline
-
—
- Penalty
-
—
Obligation 17
The contract or other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
Regulation (EU) 2016/679, Article 28, Article 28
- Obligated entity
-
controller
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 28
Who must comply with Article 28 of the GDPR?
+
controller, processor.
What does Article 28 of the GDPR require?
+
use obtain authorisation inform
What is the compliance deadline for GDPR Article 28?
+
after end of services; before processing; immediately; prior to changes; prior to engagement