Updated: July 2026
The relationship between data controllers and data processors sits at the heart of lawful and secure personal data processing under the General Data Protection Regulation (GDPR). Article 28 sets out specific requirements for this relationship.
It also helps to understand the broader responsibilities both parties hold, beyond what’s written into the contract itself.
• Controllers decide the purposes and means of processing personal data and are responsible for making sure any processing activities comply with the GDPR.
• Processors act on behalf of controllers and must process data only under documented instructions from the controller, with appropriate security measures in place to protect the data.
• Contracts between controllers and processors must set out the scope of processing, security obligations, and terms for engaging sub-processors, among other requirements.
A data controller is the entity that decides why and how personal data is processed. Controllers are accountable for making sure processing activities comply with the GDPR, and they must put appropriate technical and organisational measures in place to protect personal data.
A data processor processes personal data on behalf of the controller. Processors must follow the controller’s documented instructions and implement appropriate security measures to stay compliant. They also have direct obligations under the GDPR, such as keeping records of processing activities and notifying controllers of data breaches.
The GDPR requires controllers and processors to enter into a binding contract that sets out the terms of data processing. This contract should include:
• Subject matter and duration of the processing
• Nature and purpose of the processing
• Types of personal data and categories of data subjects
• Obligations and rights of the controller
• Processor’s commitments, such as processing data only on documented instructions, ensuring confidentiality, and implementing security measures
The contract should also state the conditions under which the processor can engage sub-processors, and set out procedures for notifying data breaches and responding to data subject rights requests.
Processors must not engage another processor without prior specific or general written authorisation from the controller. Once authorised, processors must make sure sub-processors are bound by the same data protection obligations set out in the controller-processor contract. The initial processor stays fully liable to the controller for the sub-processor’s performance.
Beyond contractual obligations, processors have direct responsibilities under the GDPR, including:
• Implementing appropriate security measures to protect personal data.
• Keeping records of processing activities.
• Notifying the controller without undue delay after becoming aware of a personal data breach.
• Assisting the controller with data subject rights, data breach notifications, and data protection impact assessments.
GDPR Article 28 sets out the legal, statutory, and contractual requirements organisations must follow to keep personal data processing compliant.
Article 28(3) lists eight specific obligations a processor must accept in the contract, from processing data only on documented instructions to assisting the controller with data protection impact assessments.
Article 28(5) allows adherence to an approved code of conduct or certification mechanism to count as an element demonstrating a processor’s compliance. Article 28(6) allows contracts to be based on standard contractual clauses.
Article 28(10) makes clear that a processor becomes a controller in its own right if it starts determining the purposes and means of processing beyond the controller’s instructions.
Article 28 governs how processors handle personal data on behalf of controllers, and sets out clear responsibilities for both sides. Processors must use appropriate security measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Anyone authorised to process personal data must do so under an obligation of confidentiality. Processors also cannot engage another processor without the controller’s prior written authorisation, and any sub-processor must take on the same data protection obligations as the original processor.
Business owners and compliance officers need to understand Article 28 to process data lawfully and reduce compliance risk. This means following the controller’s documented instructions and putting the necessary measures in place under data protection law.
If a personal data breach happens, processors must tell the controller without undue delay. Prompt notification helps limit the impact of the breach and supports timely remedial action.
Standard contractual clauses (SCCs) can simplify compliance with Article 28 when built into contracts between controllers and processors. SCCs make sure contracts meet legal requirements and give a clear framework for processing activities.
The European Commission is authorised to create SCCs to support GDPR compliance.
Supervisory authorities can also adopt their own standard contractual clauses as part of their regulatory framework. Adherence to an approved code of conduct, or certification through an approved mechanism, can help a processor demonstrate it offers sufficient guarantees.
A contract under Article 28 must state that the processor can only process data according to the controller’s documented instructions. Processors that follow approved codes of conduct or certification schemes often find this simplifies their compliance process and gives them a competitive edge.
Training staff on their role in GDPR compliance, and running regular risk assessments to spot data processing vulnerabilities, both help organisations maintain strong data protection and reduce the risk of non-compliance.
Contracts must state the processor’s obligation to help the controller respond to data subject rights requests. Following approved codes of conduct can help processors demonstrate the security measures required under Article 32 of the GDPR.
Setting up a clear procedure for reporting data breaches supports swift compliance.
Putting appropriate technical and organisational measures in place, such as encryption, access controls, and regular audits, is central to complying with Article 28. Organisations should also set up a procedure for immediately reporting any instruction that would breach data protection law.
GDPR Article 28 protects personal data by clearly defining the responsibilities of data controllers and processors. It makes sure personal data is handled to a high standard of security, transparency, and accountability.
Organisations need to understand and apply the obligations in Article 28 to comply with the law, protect data subjects’ rights, and build trust with customers.
Both controllers and processors must demonstrate compliance by running regular audits, applying data protection by design and by default, and only working with partners that can offer sufficient guarantees.
Our GDPR compliance checklist and data processing agreement template can help you put these obligations into practice.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.
A data controller decides why and how personal data is processed. A data processor acts on the controller’s instructions and handles the data on their behalf.
A processor must follow the controller’s documented instructions, implement appropriate technical and organisational security measures, assist with data subject rights, and notify the controller of any data breaches without undue delay.
Contracts must clearly state the subject matter, duration, purpose, type of data, categories of data subjects, and the processor’s obligation to act only on the controller’s instructions. They must also cover sub-processing, security, and end-of-service data handling.
Choose processors that can prove they’ve implemented strong data protection measures. Look for adherence to recognised codes of conduct, certifications, regular audits, and a transparent process for breach reporting and accountability.