Art.28 GDPR

GDPR Art.28: Processor

What This Control Requires

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. The processor shall not engage another processor without prior specific or general written authorisation of the controller.

In Plain Language

Nearly every organisation relies on third-party service providers to process personal data - cloud hosting, payroll, marketing automation, analytics, customer support. Article 28 sets the rules for these relationships. As the controller, you're responsible for making sure your processors handle data in line with the GDPR, and you need proper contracts to back that up.

Every processor relationship must be governed by a binding data processing agreement (DPA) with specific mandatory terms. The DPA must cover what data is being processed and why, for how long, and for which categories of data subjects. It must also include clauses on following documented instructions, confidentiality, security measures, sub-processor management, data subject rights assistance, breach notification, data deletion or return, and audit rights.

You also can't just pick the cheapest option and move on. There's a due diligence obligation - you need to select processors that provide sufficient guarantees of compliance, and you need to keep monitoring them after the contract is signed. Your processors, in turn, can't bring in sub-processors without your prior written authorisation, and they must pass down the same data protection obligations to anyone further down the chain.

How to Implement

Build a processor assessment process. Before engaging any new vendor that will handle personal data, evaluate their data protection practices. Look at their technical and organisational security measures, track record, relevant certifications (ISO 27001 is a strong signal), sub-processor arrangements, and where they process data geographically. Document the assessment and your decision rationale.

Create a DPA template that covers every mandatory clause under Article 28(3): processing only on documented instructions, confidentiality obligations for personnel, appropriate security measures, sub-processor management with prior authorisation, assistance with data subject rights, breach notification, data deletion or return on termination, and audit/inspection rights. Include provisions on international transfers if relevant. Use this template consistently across all processor engagements.

Keep a register of all your processors and their sub-processors, linked to your Records of Processing Activities. For each entry, record the processor's identity and contacts, what processing they do, which data categories are involved, where processing happens geographically, the applicable DPA and its key terms, and the current status of due diligence and any open issues.

Don't treat processor oversight as a one-time activity. Review processor audit reports and certifications periodically. Run questionnaire-based assessments on a regular cycle. Exercise your audit rights - on-site or remote - for high-risk processors. Monitor sub-processor changes and assess new additions. Track how processors perform on breach notification. If you spot deficiencies, follow up and get them resolved.

Decide how you want to manage sub-processor authorisation. Specific authorisation means approving each sub-processor individually - more control, more administrative overhead. General authorisation lets processors bring in sub-processors as long as they notify you and give you the right to object - more practical for most situations. Either way, make sure equivalent data protection obligations flow down the chain and that you have visibility into who is handling your data.

Evidence Your Auditor Will Request

Processor due diligence assessment procedure and completed assessments
GDPR-compliant data processing agreements (DPAs) with all processors
Register of all processors and sub-processors with processing details
Evidence of ongoing monitoring of processor compliance (audits, reviews, assessments)
Records of sub-processor authorisations and change notifications

Common Mistakes

No data processing agreements in place with processors, or agreements missing mandatory Article 28(3) clauses
No due diligence conducted before engaging processors - selection based purely on cost or functionality
Lack of visibility into sub-processor chains, with no authorisation or notification mechanism
No ongoing monitoring of processor compliance after initial engagement
Processors processing data beyond the controller's documented instructions

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.19	Related
ISO 27001	A.5.20	Related
NIS2	Art.21.2e	Related

Frequently Asked Questions

What must a data processing agreement include?

Article 28(3) lists the mandatory provisions: processing only on documented instructions, confidentiality obligations, appropriate security measures, sub-processor management, assistance with data subject rights, breach notification, data deletion or return on termination, and audit/inspection rights. In practice, most DPAs also address international transfers, liability allocation, and insurance requirements.

Can we use a processor's standard terms instead of our own DPA?

Yes, as long as their terms include all the mandatory Article 28(3) elements. Large cloud providers and SaaS vendors typically offer standard DPA addendums. But review them carefully - make sure they actually meet your requirements and don't contain clauses that undermine your control. A vendor's boilerplate DPA isn't automatically compliant just because it's widely used.

What is the difference between specific and general authorisation for sub-processors?

Specific authorisation means the processor needs your approval for each individual sub-processor before engaging them. General authorisation means they can bring in sub-processors without asking each time, but they must notify you of any changes and give you a window to object. Most organisations go with general authorisation for practical reasons, combined with clear objection rights and the ability to terminate if a sub-processor is unacceptable.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment