Article 28

GDPR Article 28 outlines the relationship between data controllers and data processors—requiring a shared contract that defines how the processor will handle data provided by the controller.

This contract must include language that limit how, when, and why data can be processed, including:

  • Data processors may only process personal data according to the instructions provided by the data controller.
  • Confidentiality agreements for data processor staff in regards to the data being processed.
  • All personal data must be deleted or returned to the data controller at the end of the data processor’s service term.
  • The data processor will help to ensure GDPR compliance.

In 2017, the Information Commissioner’s Office (ICO) published additional guidelines for contracts between data controllers and data processors, stating they should include:

  • Subject matter of the data processing
  • Relevant timelines
  • Why and how the data is being processed
  • Types of data being processed
  • Categories of data being processed
  • The data controllers rights and obligations

The contract between data controllers and processors is binding and must protect a data subject's rights.