GDPR Article 28: Understanding Data Controller and Processor Functions

Explore the intricacies of GDPR Article 28 in our comprehensive guide. Understand the vital role of data processors and controllers in data protection. Learn how compliance ensures data security and builds trust. Dive into the details of Article 28 with expert insights.

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, aimed at safeguarding the privacy and personal data of individuals within the European Union (EU).
Its primary purpose is to provide individuals with greater control over their personal information while setting strict guidelines for organizations handling such data.

Significance Of Article 28 Within The GDPR Framework

The GDPR’s data protection framework lies in Article 28, a crucial provision that governs the relationship between data controllers and data processors. 

Data controllers are entities that determine the purposes and means of processing personal data, while data processors are entities that process the data on behalf of the data controllers.

Article 28 plays a significant role in the GDPR as it establishes specific requirements for the collaboration between data controllers and data processors to ensure the lawful and secure processing of personal data. 

By outlining the responsibilities and obligations of both parties, Article 28 enhances accountability and transparency in data processing activities, promoting a high level of data protection for individuals within the EU.

Key Entities Involved:

• Data Controller
• Data Processor

Difference Between A Data Controller And A Data Processor?

• Data Controllers: Data controllers are typically organizations or entities that collect personal data from individuals and determine the reasons and methods for processing this data. They hold the primary responsibility for complying with the GDPR’s data protection principles and ensuring the lawful processing of personal data.
• Data Processors: Data processors are organizations or entities that process personal data on behalf of data controllers. They act solely under the instructions of the data controller and are responsible for ensuring the security and confidentiality of the data they handle.
• In the context of Article 28, the relationship between data controllers and data processors is of paramount importance, as both parties must work together to ensure that personal data is processed lawfully, transparently, and by the rights of data subjects.

What Are Data Processing Agreements (DPA)?

A Data Processing Agreement (DPA) is a legal contract that governs the relationship between a data controller and a data processor. 

It is a vital instrument in ensuring that personal data is processed in a lawful, secure, and transparent manner, as required by the General Data Protection Regulation (GDPR). 

The DPA sets out the terms and conditions under which the data processor handles personal data on behalf of the data controller, defining the roles, responsibilities, and obligations of each party in the data processing activities.

Brief Understanding Of GDPR Article 28 Processor

GDPR Article 28 outlines the obligations and requirements for data processors under the General Data Protection Regulation (GDPR).

In this context, a data processor is an entity or organization that processes personal data on behalf of a data controller.

Definition of Data Processor: According to GDPR Article 4(8), a data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller. 

The data processor acts under the authority and instructions of the data controller and does not decide the purposes or means of processing the data.

Responsibilities of Data Processors: Article 28 establishes specific obligations for data processors, including:

• Processing Data Only on Instructions: Data processors must process personal data solely on documented instructions from the data controller. They cannot use the data for any other purpose without explicit authorization from the data controller.
• Confidentiality: Data processors must ensure the confidentiality of personal data processed and maintain appropriate security measures to protect it.
• Assistance to Data Controller: Data processors must assist the data controller in fulfilling their obligations under the GDPR. This may include supporting data subject rights requests, data breach notifications, and conducting impact assessments.
• Sub-processing: Data processors can engage sub-processors to carry out specific tasks, but they must have a written agreement with the sub-processor that imposes the same data protection obligations as stated in the DPA between the data controller and the data processor.
• Data Processing Agreement (DPA): Under Article 28(3), data processors are required to have a written contract (DPA) with the data controller. The DPA must outline the instructions for data processing, specify the responsibilities of both parties and ensure compliance with GDPR requirements. The DPA serves as a legal document that governs the data processing relationship between the data controller and the data processor.
• Accountability: Data processors are accountable for their processing activities and must demonstrate compliance with the GDPR’s principles. They are subject to potential sanctions and penalties for non-compliance.

Key Components of Data Processing Agreements

Below are the key components that should be included in a comprehensive Data Processing Agreement:

• Purpose and Scope of Data Processing: Clearly state the specific purposes for which personal data will be processed. This section should align with the instructions given by the data controller to the data processor. It is essential to define the scope of data processing activities to avoid any unauthorized use of the data.
• Types of Personal Data: Identify the types and categories of personal data that the data processor will process on behalf of the data controller. This includes both general personal data and any special categories of data (sensitive data) if applicable.
• Data Subject Rights: Specify the procedures and measures the data processor will implement to assist the data controller in fulfilling data subject rights requests, such as access, rectification, erasure, restriction of processing, and data portability. This ensures that data subjects can exercise their rights effectively.
• Confidentiality and Security: Address the data processor’s obligation to maintain the confidentiality and security of the personal data. This includes implementing appropriate technical and organizational measures to protect against unauthorized access, loss, destruction, or alteration of the data. It should also cover procedures for reporting and managing data breaches.
• Sub-processing: If the data processor intends to engage sub-processors to carry out specific tasks, outline the conditions under which such engagements are permitted. The DPA should require the data processor to have a written agreement with the sub-processor that imposes the same data protection obligations stated in the DPA between the data controller and the data processor.
• Duration of Data Processing: Specify the duration of the data processing activities. Data processors should only retain personal data for as long as necessary for the purposes outlined in the agreement.
• International Data Transfers: Address the requirements for international data transfers, if applicable. The data processor should comply with GDPR provisions concerning cross-border data transfers, using appropriate mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
• Assistance to the Data Controller: Outline the data processor’s duty to assist the data controller in fulfilling its GDPR obligations, including cooperating with data protection authorities, conducting data protection impact assessments (DPIAs), and providing necessary information for compliance assessments.
• Deletion or Return of Data: Define the procedures for data deletion or return at the end of the data processing services or upon the data controller’s request. The data processor should ensure that any copies or backups of personal data are securely deleted or returned as well.
• Audits and Inspections: Address the data processor’s obligation to allow the data controller or its authorized representatives to conduct audits and inspections to verify compliance with the DPA and GDPR requirements.

Governing Law and Dispute Resolution:

Specify the applicable law governing the DPA and outline the process for resolving disputes between the data controller and data processor.

To summarise, General Data Protection Regulation (GDPR) is a crucial data protection law, that safeguards personal data and grants individuals greater control over their information. Article 28 outlines the relationship between data controllers and processors, ensuring accountability and transparency in data processing. Data Processing Agreements (DPAs) are essential to formalize this relationship and guarantee lawful and secure data processing. While GDPR compliance presents challenges, best practices like data minimization, consent mechanisms, and incident response plans help organizations adhere to regulations and protect individuals’ privacy rights. Embracing GDPR principles fosters responsible data handling and strengthens trust between organizations and data subjects.