UK GDPR: Processors (Article 28)
Processor Requirements [Art 28]
Key requirement: A written contract is mandatory between controller and processor.
Rule: Controllers can only use processors that provide sufficient guarantees, and must have a written contract in place.
Controller obligations [Art 28(1)]
| Requirement | Details | Citation |
|---|---|---|
| Use only compliant processors | Sufficient guarantees of appropriate measures | Art 28(1) |
| Written contract required | Or other legal act | Art 28(3) |
| Authorise sub-processors | Processor needs written authorisation | Art 28(2) |
Required contract terms [Art 28(3)]
The contract must set out:
| Term | What it covers | Citation |
|---|---|---|
| Subject-matter and duration | Scope of processing | Art 28(3) |
| Nature and purpose | What processing is for | Art 28(3) |
| Type of personal data | Categories of data | Art 28(3) |
| Categories of data subjects | Whose data | Art 28(3) |
| Controller obligations and rights | Controller’s responsibilities | Art 28(3) |
Processor obligations in contract [Art 28(3)(a-h)]
| Obligation | Details | Citation |
|---|---|---|
| Process only on instructions | Documented instructions from controller | Art 28(3)(a) |
| Confidentiality | Ensure persons processing are confidential | Art 28(3)(b) |
| Security measures | Take all measures per Article 32 | Art 28(3)(c) |
| Sub-processor conditions | Same data protection obligations | Art 28(3)(d) |
| Assist with data subject rights | Help controller respond to requests | Art 28(3)(e) |
| Assist with security obligations | Help with Arts 32-36 | Art 28(3)(f) |
| Delete or return data | At end of services | Art 28(3)(g) |
| Allow audits | Make available information, allow audits | Art 28(3)(h) |
Sub-processors [Art 28(2), (4)]
| Scenario | Requirement | Citation |
|---|---|---|
| General authorisation | Controller gives general written authorisation | Art 28(2) |
| Specific authorisation | Controller authorises each sub-processor | Art 28(2) |
| Notification of changes | Inform controller, opportunity to object | Art 28(2) |
| Same obligations | Sub-processor contract must mirror main contract | Art 28(4) |
| Processor remains liable | For sub-processor’s performance | Art 28(4) |
Source Text
Article 28(1): Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Article 28(3): Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
(a) processes the personal data only on documented instructions from the controller…
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality…
(c) takes all measures required pursuant to Article 32;
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights…
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing…
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.