Data Controller vs Data Processor: Practical Guide Under GDPR Article 28

Under the General Data Protection Regulation (GDPR), the relationship between data controllers and data processors is foundational to ensuring lawful and secure processing of personal data. While Article 28 of the GDPR provides specific requirements for this relationship, it’s essential to understand the broader context and responsibilities that both parties hold.

Key Takeaways

• Controllers determine the purposes and means of processing personal data and are responsible for ensuring that any processing activities comply with the GDPR.

• Processors act on behalf of controllers and must process data only under documented instructions from the controller, ensuring that appropriate security measures are in place to protect the data.

• Contracts between controllers and processors must outline the scope of processing, security obligations, and terms for engaging sub-processors, among other requirements.

Defining Roles and Responsibilities

Data Controller

A data controller is the entity that decides why and how personal data is processed. They are accountable for ensuring that processing activities comply with the GDPR and must implement appropriate technical and organisational measures to protect personal data.

Data Processor

A data processor processes personal data on behalf of the controller. They must follow the controller’s documented instructions and implement appropriate security measures to ensure compliance with relevant regulations. Processors also have direct obligations under the GDPR, such as maintaining records of processing activities and notifying controllers of data breaches.

Establishing a Controller-Processor Contract

The GDPR requires controllers and processors to enter into a binding contract that outlines the terms of data processing. This contract should include:

• Subject matter and duration of the processing.
• Nature and purpose of the processing.
• Types of personal data and categories of data subjects.
• Obligations and rights of the controller.
• Processor’s commitments, such as processing data only on documented instructions, ensuring confidentiality, and implementing security measures.

Additionally, the contract should specify the conditions under which the processor can engage sub-processors and outline procedures for notifying data breaches and responding to requests for data subject rights.

Engaging Sub-Processors

Processors must not engage another processor (sub-processor) without prior specific or general written authorisation from the controller. When authorised, processors must ensure that sub-processors are bound by the same data protection obligations as set out in the contract between the controller and the processor. The initial processor remains fully liable to the controller for the performance of the sub-processor’s obligations.

Direct Obligations of Processors

Beyond contractual obligations, processors have direct responsibilities under the GDPR, including:

• Implementing appropriate security measures to protect personal data.
• Maintaining records of processing activities.
• Notifying the controller without undue delay after becoming aware of a personal data breach.

Assisting the controller in ensuring compliance with obligations concerning data subject rights, data breach notifications, and data protection impact assessments.

Overview of GDPR Article 28

GDPR Article 28 is a component of the General Data Protection Regulation, ensuring that personal data processing complies with legal and regulatory standards. This article addresses eight key areas related to data processing activities, providing a comprehensive framework that organisations must adhere to, including the data subject’s rights laid out. These areas are crucial for any business focused on protecting data subject rights effectively.

Under GDPR Article 28, organisations must conform to various legal, statutory, regulatory, and contractual requirements. These obligations are meticulously designed to ensure that data processors implement appropriate statutory duties to protect personal data against unauthorised processing. The article emphasises the importance of adhering to privacy protection obligations when entering new agreements.

Relevant provisions of GDPR Article 28 include Article 28(5), 28(6) and 28(10), which outline specific obligations for data processors as set out in the Article. Organisations must follow procedures to identify and understand their legislative and regulatory obligations, ensuring compliance. This approach mitigates risks and fosters accountability and transparency within the organisation.

Adhering to the principles of GDPR Article 28 ensures that organisations’ data processing activities meet the stringent requirements of the regulation. This protects the rights of data subjects and helps build trust and credibility with customers.

Legal Text of GDPR Article 28

GDPR Article 28 governs the processing of personal data by processors on behalf of controllers, establishing clear responsibilities and obligations. The regulation mandates that data processors implement robust security measures, including technical and organisational safeguards, to comply with GDPR standards. These measures protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Article 28 mandates that data processors use appropriate security measures to protect personal data. This includes ensuring that any person authorised to process personal data does so under the obligation of confidentiality. Moreover, processors must not engage another processor without prior specific or general written authorisation of the controller, ensuring that the same data protection obligations are imposed on the sub-processor.

Business owners and compliance officers must understand GDPR Article 28 to ensure lawful data processing and mitigate compliance risks. The article emphasises the importance of adhering to the documented instructions from the data controller and implementing the necessary measures required under data protection laws, as non-compliance is prohibited by law.

In the event of a personal data breach, processors must inform the data controller without undue delay. This prompt notification is crucial for mitigating the potential impact of the breach and taking appropriate remedial actions. Adhering to the legal text of GDPR Article 28 ensures that organisations’ data processing activities comply with stringent General Data Protection Regulation requirements to notify of personal data breaches.

Standard Contractual Clauses and Codes of Conduct

Standard contractual clauses (SCCs) can simplify compliance with GDPR Article 28 when included in contracts between controllers and processors. SCCs ensure that contracts meet legal requirements and provide a clear framework for data processing activities. The European Commission is authorised to create the SCCS to support compliance with GDPR obligations.

Supervisory authorities can also adopt standard contractual clauses as part of their regulatory framework under GDPR. This provides an additional layer of assurance for organisations seeking to comply with data protection requirements. Adherence to an approved code of conduct or certification granted through an approved certification mechanism can demonstrate a processor’s compliance with necessary guarantees, including supervisory authority.

Processors can demonstrate compliance with GDPR Article 28 by adhering to approved codes of conduct or certification mechanisms. This simplifies the compliance process and provides a competitive advantage by demonstrating a commitment to data protection. A contract under Article 28 must state that the processor can only process data according to the controller’s documented instructions.

Adopting standard contractual clauses and approved codes of conduct ensures that organisations’ data processing activities comply with GDPR Article 28 and the legal act. This protects the rights of data subjects and helps build trust and credibility with customers.

Practical Steps for Compliance

Organisations should implement training programs for staff to understand their roles in complying with GDPR requirements. Regular risk assessments are crucial for identifying data processing vulnerabilities and ensuring the implementation of effective protection measures. These proactive steps help maintain a high standard of data protection and mitigate risks associated with non-compliance.

Contracts must outline the processor’s obligation to assist the controller in fulfilling requests from data subjects regarding their rights, including the controller’s obligations. Adhering to approved codes of conduct can provide processors with a way to demonstrate compliance with security measures mandated by Article 32 of the GDPR. Establishing a procedure for reporting data breaches is crucial for swift compliance with GDPR.

Implementing appropriate technical and organisational measures is key to ensuring compliance with GDPR Article 28. These measures include encryption, access controls, and regular audits to ensure the protection of data. Organisations should also establish a procedure for immediately reporting any instruction infringing on data protection laws.

These practical steps ensure that organisations’ data processing activities comply with GDPR Article 28. This protects the rights of data subjects and helps build a culture of accountability and transparency within the organisation.

Summary

GDPR Article 28 is important for protecting personal data by clearly defining the responsibilities of data controllers and processors. It ensures that personal data is handled with high standards of security, transparency, and accountability. Organisations must understand and implement the legal obligations outlined in Article 28 to comply with the law, protect the rights of data subjects, and build trust with customers.

Both controllers and processors are required to demonstrate compliance by conducting regular audits, applying data protection by design and by default, and engaging only partners that can provide sufficient guarantees. 

Frequently Asked Questions

1. What is the difference between a data controller and a data processor?
A data controller decides why and how personal data is processed. A data processor acts on the controller’s instructions and handles the data on their behalf.

2. What are the key responsibilities of a data processor under GDPR Article 28?
A processor must follow the controller’s documented instructions, implement appropriate technical and organisational security measures, assist with data subject rights, and notify the controller of any data breaches without undue delay.

3. What should be included in contracts between controllers and processors?
Contracts must clearly state the subject matter, duration, purpose, type of data, categories of data subjects, and the processor’s obligation to act only on the controller’s instructions. They must also cover sub-processing, security, and end-of-service data handling.

4. How can organisations ensure they select the right data processor?
Choose processors that can prove they’ve implemented strong data protection measures. Look for adherence to recognised codes of conduct, certifications, regular audits, and a transparent process for breach reporting and accountability.