GDPR Article 28 | Guidelines for Data Processing Agreements

Article 28 of the EU’s General Data Protection Regulation (GDPR) outlines requirements for data processing agreements between data controllers and data processors. Any organization doing business in an area protected by GDPR should be aware of these regulations and how to avoid the penalties of non-compliance.

Reports on GDPR fines note that the powers that be have doled out $1.74 billion in penalties since January 2022. It’s also worth noting that per Article 83 of GDPR, those who fail to comply with Article 28 may be liable for fines of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year—whichever amount is higher.

Here, we’ll be demystifying Article 28’s guidelines and how businesses can avoid undue regulatory attention by applying best practices to data handling and privacy.

What Does Article 28 of GDPR Say?

Article 28 of GDPR covers data processing agreements between controllers and processors, ensuring that these agreements comply with the GDPR's data protection principles. By doing so, regulators put appropriate measures in place to protect individuals' personal data throughout the processing lifecycle.

The full text of Article 28 is available here, but for the sake of simplicity we’ll summarize the key points below:

1. Role of the data processor: The data processor must only process personal data in accordance with the documented instructions provided by the data controller, unless required by law. The processor cannot process the data for any other purposes without prior authorization from the controller.
2. Confidentiality: The data processor and any individuals acting under its authority must ensure the confidentiality of the personal data being processed. This obligation persists even after the agreement with the data controller ends.
3. Security measures: The data processor must implement appropriate technical and organizational measures to ensure the security of the personal data pursuant to Article 32 of GDPR.
4. Sub-processing: If the data processor intends to engage a sub-processor to process personal data, it must obtain prior written consent from the data controller. The processor remains fully liable to the controller for the sub-processor's actions.
5. Assistance to the data controller: The data processor must assist the data controller in fulfilling its obligations regarding data subject rights, data protection impact assessments, and prior consultations with supervisory authorities.
6. Data breach notification: The data processor must notify the data controller without undue delay after becoming aware of a personal data breach. The processor must provide all necessary information to help the controller meet its notification obligations.
7. Deletion or return of data: Upon termination or completion of the processing activities, the data processor must either delete or return all personal data to the data controller, unless required by law to retain the data.
8. Records of processing activities: The data processor must maintain a record of all categories of processing activities carried out on behalf of the data controller, including details such as the purpose of processing and any cross-border transfers.

The relationship between data processors and data controllers

Understanding the distinction between data processors and data controllers is vital for anyone hoping to stay compliant with Article 28 and GDPR overall.

• Data controllers are the entities who determine the purposes and means of processing personal data. They exercise control and decision-making authority over the data being processed and ensure that any data processing activities comply with applicable data protection laws.
  
  
• Data processors are separate entities who process personal data on behalf of the data controller. The processor acts under the authority and instructions of the data controller, handling the data only for the purposes defined by the controller. Processors are often third-party service providers engaged by the data controller to carry out specific functions.

It's important to note that processors have direct liability under the GDPR and are required to maintain records of their processing activities. As such, businesses that engage in outsourced data processing should create a data processing agreement (DPA) to govern their arrangement.

What does GDPR Article 28 say about data processing agreements?

DPAs, also known as data processing addendums, are a legal contract or agreement between a data controller and a data processor. Its purpose is to establish the terms and conditions governing the processing of personal data by the data processor on behalf of the data controller. Additionally, the DPA ensures that both parties comply with any applicable data protection laws.

Data processing agreements are vital to ensure a clear understanding of the roles, responsibilities, and legal obligations between data controllers and processors.

• Free 5-minute GDPR compliance checklist

Best practices for GDPR Article 28 compliance

Achieving compliance with Article 28 requires careful attention to your data processing agreements. To ensure compliance, here are some best practices to consider:

1. Establishing clear roles and responsibilities is crucial. Clearly define the obligations of both the data controller and data processor regarding data protection, security measures, and compliance with applicable laws. This helps create a foundation for understanding each party's responsibilities in the data processing agreement.
2. Include detailed processing instructions in the agreement. Document and provide explicit instructions to the data processor on how personal data should be processed, including the purpose of processing, the types of data involved, any restrictions or limitations, and the lawful basis for processing. Clear instructions promote consistency and alignment with legal requirements.
3. Implement appropriate confidentiality and security measures such as data encryption, access controls, regular security assessments, and comprehensive employee training on data protection.
4. Manage sub-processing effectively. If the data processor intends to engage sub-processors, obtain prior written consent from the data controller and ensure that sub-processors adhere to the same data protection and security standards required by the data processing agreement. Maintaining an up-to-date list of approved sub-processors helps ensure transparency and accountability.
5. Address data subject rights and breach notification requirements. Define the data processor's obligations regarding data subject rights, including processes for handling data subject access requests, erasure, and objections. Establish procedures for promptly notifying the data controller of any data breaches or security incidents to ensure compliance with breach notification requirements.
6. Handle data transfers in compliance with GDPR guidelines. If personal data is transferred outside the EU, ensure compliance with applicable transfer mechanisms, such as implementing Standard Contractual Clauses (SCCs) or other approved safeguards to protect data during international transfers.
7. Stay informed of developments in data protection laws, regulations, and guidelines. Follow industry sources to get relevant guidance from data protection authorities, and attempt to stay on top of industry best practices to ensure that your data processing practices align with evolving requirements.

Get help with your compliance obligations

GDPR compliance can seem daunting, but businesses don’t have to waste time going through regulations with a fine-tooth comb. With the right automation behind you, compliance is easy.

Enzuzo offers a variety of solutions to help businesses achieve effortless, automated processes for compliance management. Our personalized cookie consent banners, form generation tools, and privacy compliance scanner can help any company get a handle on compliance in a matter of minutes. Visit us to see our solutions in action.  

Additional GDPR References

• Article 8 – Conditions applicable to child’s consent
• Article 11 – Processing without identification
• Article 36 – Prior consultation
• Articles 24 - 43 – Controllers and Processors