Iubenda logo
Start generating


Table of Contents

Article 28 GDPR (General Data Protection Regulation)

Article 28 of the GDPR state the guidelines for the relationship between Data controllers and Processors, and the responsibilities and behavior of Processors. In this post we’ll take take a look at the difference between Processors and controllers and explain exactly what’s required by Article 28 of the GDPR.

Article 28 GDPR (General Data Protection Regulation)

What is the difference between a data controller and a data processor?

The term “data controller” means any person or legal entity involved in determining the purpose and ways of processing the personal data while the term “data processor” means any person or legal entity involved in processing personal data on behalf of the controller. In simple terms, the Processor handles personal data on behalf of the data controller and not for their own purposes. While the processor does have to follow some rules to ensure that data is handled correctly, ultimately, the Controller bears the responsibility for the personal data in the eyes of the law.

What does Article 28 of the EU General Data Protection Regulation say?

  • The controller must only use processors that can provide sufficient guarantees that the processing activities will meet GDPR regulations.
  • The processor must not use other processors (for the agreed upon processing activities) without the permission of the data controller.
  • Processing by the processor should be governed by a contract or binding legal agreement between the processor and data controller, which sets out details such as the duration of the processing, purpose, categories of data processes, obligations of the controller and should state in particular that the processor:
    • ensures that the authorised individuals processing the data are committed to confidentiality,
    • agrees to apply required security measures, will respect the other conditions referenced above,
    • commits to assist the controller in the fulfilment of obligations regarding user rights (e.g. the right to be forgotten),
    • commits to making available to the controller any and all information needed to show compliance and/or to facilitate audits and inspections authorised by the controller.
  • If the processor engages the services of another processor on behalf of the controller, the binding agreement and data protection standards set between the controller and processor will also apply to that other processor. If that processor fails to meet these obligations, the initial data processor will remain liable to the controller.
  • The contract/ agreement referred to above must be in writing (including electronic form).
  • If the processor violates this regulation by applying its own means and purposes for processing user data, the processor will be considered a controller in regards to that particular processing.

See the full text of Article 28 of the GDPR here.

Do I need a Data Processing Agreement

If you’re engaging the services of a processor then you’ll likely need a data processing agreement (DPA). Some popular processors (e.g MailChimp) have included data processing agreements as a part of their terms. Where not provided by the processor, you’ll need to provide one yourself. To help you with this, we’ve prepared a free DPA template below.

Please note that not all third-parties are data processors. In cases where the third party processes user data for their own purposes, e.g. Facebook like widget, the third party is also considered to be a controller. Any such third parties and the related processing must always be disclosed in your privacy policy.

About us


GDPR compliance for your site, app and organization


See also