§ GDPR · Article 28

GDPR Article 28: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 28 · All obligations · GDPR
At a glance
Article 28 of the GDPR imposes 17 obligations on controller, processor. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 28

Obligation 1
The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures to meet Regulation requirements and ensure data subject rights protection. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
controller
Action required
use
Deadline
Penalty
Obligation 2
The processor shall not engage another processor without prior specific or general written authorisation of the controller. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
obtain authorisation
Deadline
prior to engagement
Penalty
Obligation 3
In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
inform
Deadline
prior to changes
Penalty
Obligation 4
Processing by a processor shall be governed by a contract or other legal act that is binding on the processor and sets out subject-matter, duration, nature, purpose, data types, categories, and obligations/rights. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
controller
Action required
establish contract
Deadline
Penalty
Obligation 5
The processor shall process personal data only on documented instructions from the controller, including regarding transfers to third countries, unless required by law. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
process
Deadline
Penalty
Exemptions
required by Union or Member State law
Obligation 6
If required by law to process data contrary to controller instructions, the processor shall inform the controller of that legal requirement before processing, unless prohibited by law. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
inform
Deadline
before processing
Penalty
Exemptions
if law prohibits such information on important grounds of public interest
Obligation 7
The processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
ensure
Deadline
Penalty
Obligation 8
The processor shall take all measures required pursuant to Article 32. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
take measures
Deadline
Penalty
Obligation 9
The processor shall respect the conditions referred to in paragraphs 2 and 4 for engaging another processor. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
respect conditions
Deadline
Penalty
Obligation 10
The processor shall assist the controller by appropriate technical and organisational measures for the fulfilment of the controller's obligation to respond to requests for exercising data subject rights. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
assist
Deadline
Penalty
Obligation 11
The processor shall assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
assist
Deadline
Penalty
Obligation 12
At the choice of the controller, the processor shall delete or return all personal data to the controller after the end of the provision of services and delete existing copies. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
delete or return
Deadline
after end of services
Penalty
Exemptions
unless Union or Member State law requires storage
Obligation 13
The processor shall make available to the controller all information necessary to demonstrate compliance with obligations and allow for audits conducted by the controller or mandated auditor. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
make available
Deadline
Penalty
Obligation 14
The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other data protection provisions. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
inform
Deadline
immediately
Penalty
Obligation 15
Where a processor engages another processor, the same data protection obligations shall be imposed on that other processor by way of a contract or other legal act. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
impose obligations
Deadline
Penalty
Obligation 16
The initial processor shall remain fully liable to the controller for the performance of the other processor's obligations if that other processor fails to fulfil them. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
processor
Action required
remain liable
Deadline
Penalty
Obligation 17
The contract or other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form. Regulation (EU) 2016/679, Article 28, Article 28
Obligated entity
controller
Action required
document
Deadline
Penalty
§ Frequently asked

Questions about Article 28

Who must comply with Article 28 of the GDPR? +
controller, processor.
What does Article 28 of the GDPR require? +
use obtain authorisation inform
What is the compliance deadline for GDPR Article 28? +
after end of services; before processing; immediately; prior to changes; prior to engagement
Need a cross-border briefing on GDPR Article 28?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles