Cyber Score

GDPR (Articles 28-30)

Cross-Sector

The EU's General Data Protection Regulation establishes strict requirements for organizations when engaging third parties to process personal data

Overview

The General Data Protection Regulation (GDPR) represents the most significant change in data privacy regulation in decades. It not only affects organizations within the European Union but any organization that processes the personal data of EU residents.

Articles 28-30 specifically address the relationship between data controllers and data processors, establishing clear obligations and responsibilities for third-party risk management in the context of personal data processing.

Status

Active - Effective since May 25, 2018

Jurisdiction

European Union (with extraterritorial reach)

Regulatory Authority

National Data Protection Authorities, European Data Protection Board

Penalties for Non-Compliance

Up to €20 million or 4% of global annual turnover, whichever is higher

Key Requirements

Essential GDPR provisions for processor management and third-party risk

Article 28: Processor Obligations

Controllers must use only processors that provide sufficient guarantees to implement appropriate technical and organizational measures to meet GDPR requirements and protect data subjects' rights.

"Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller..."
  • Contractual Requirements: Processing must be governed by a binding contract that sets out specific terms
  • Processor Limitations: Processors may only act on documented instructions from the controller
  • Confidentiality Commitments: Persons authorized to process data must be bound by confidentiality
  • Security Measures: Processor must implement appropriate security measures under Article 32
  • Sub-processor Restrictions: Prior authorization required for engaging sub-processors
  • Controller Assistance: Processor must assist the controller in meeting GDPR obligations
  • Data Deletion/Return: Processor must delete or return all personal data after processing
  • Audit Rights: Processor must allow for and contribute to audits by the controller

Article 29: Processing Under Authority

This article establishes restrictions on who may process personal data under the processor's authority.

"The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller..."
  • Limited Processing Authority: Processing only as instructed by the controller
  • Personnel Management: Ensuring all staff with data access follow controller's instructions
  • Liability for Personnel: Processor remains liable for actions of their personnel
  • Accountability: Creating a control system to ensure compliance with instructions

Article 30: Records of Processing Activities

Each controller and processor must maintain records of processing activities under their responsibility.

"Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility..."
  • Controller Records: Must maintain detailed records including purposes, data categories, recipients, transfers, timelines, and security measures
  • Processor Records: Must maintain records of all categories of processing activities performed for controllers
  • Documentation Format: Records must be in writing, including electronic form
  • Availability to Authorities: Records must be made available to supervisory authorities on request
  • SME Exemption: Organizations with fewer than 250 employees have limited exemptions

Related Provisions for Third-Party Risk

Several other GDPR articles directly impact third-party risk management requirements:

  • Article 32 (Security): Requires implementation of appropriate technical and organizational security measures
  • Article 33 (Breach Notification): Processors must notify controllers of data breaches without undue delay
  • Article 35 (DPIA): Data Protection Impact Assessments may be required when engaging high-risk processors
  • Article 44-50 (Transfers): Restrictions on transferring personal data to third countries
  • Article 82 (Liability): Processors are liable for damage caused by processing that infringes GDPR

Implementation Guide

Practical steps for ensuring GDPR compliance in third-party relationships

Data Processor Mapping and Inventory

Identify and document all third parties that process personal data on your behalf:

  • Create a comprehensive inventory of all data processors
  • Classify processors by risk level based on data sensitivity and processing scope
  • Document data flows between your organization and processors
  • Identify any processors operating outside the EEA
  • Map sub-processor relationships and dependencies

Processor Due Diligence

Evaluate processors to ensure they provide "sufficient guarantees" to implement appropriate measures:

  • Review processor's data protection policies and procedures
  • Assess technical and organizational security measures
  • Verify privacy certifications and adherence to approved codes of conduct
  • Review processor's track record and reputation regarding data protection
  • Consider requesting completion of detailed security questionnaires

GDPR-Compliant Data Processing Agreements

Implement contracts that include all Article 28 requirements:

  • Define the subject matter, duration, nature, and purpose of processing
  • Specify type of personal data and categories of data subjects
  • Include all mandatory clauses from Article 28(3)
  • Address international data transfers if applicable
  • Define audit rights and processes
  • Establish breach notification procedures and timelines

Sub-processor Management

Establish processes for controlling and overseeing sub-processors:

  • Decide between requiring prior specific authorization or general written authorization
  • Implement a sub-processor change notification procedure
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Maintain an up-to-date list of all authorized sub-processors
  • Document objections or approvals for changes to sub-processors

Ongoing Monitoring and Compliance Verification

Establish a program to monitor processor compliance over time:

  • Develop a risk-based processor audit program
  • Implement regular compliance attestation requirements
  • Conduct periodic security assessments of critical processors
  • Review processor incident response capabilities
  • Monitor for changes in processing activities or security measures

Processor Exit Planning

Develop plans for secure termination of processor relationships:

  • Define data return and deletion requirements in contracts
  • Establish methods for verifying data deletion
  • Prepare transition plans for critical processor changes
  • Document post-termination confidentiality obligations
  • Create specific offboarding procedures for different processor types

Additional Resources

Helpful materials for understanding and implementing GDPR processor requirements

Official GDPR Text

Full text of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.

Access document

EDPB Guidelines on Processors

European Data Protection Board's guidance on concepts of controller and processor in the GDPR.

Access document

Standard Contractual Clauses

EU-approved standard contractual clauses for controller-processor relationships under Article 28.

Access document

GDPR Processor Assessment Tool

Interactive tool to evaluate processor compliance with GDPR requirements.

Access tool

Processor DPA Checklist

Comprehensive checklist for ensuring your data processing agreements meet GDPR requirements.

Download checklist

GDPR Processor Management Webinar

Educational webinar on best practices for managing processors under GDPR.

Watch webinar

GDPR Compliance Tools

Solutions to help organizations manage processor relationships in compliance with GDPR

Processor Inventory

Centralized repository for tracking data processors and processing activities.

DPA Generator

Tool for creating custom GDPR-compliant data processing agreements.

Processor Risk Assessment

Framework for evaluating the risk level of data processors.

Audit Management

System for scheduling, conducting, and tracking processor audits.

Transfer Impact Assessment

Tools for assessing data transfers to processors outside the EEA.

Processor Compliance Tracker

Dashboard for monitoring ongoing compliance status of all processors.

Need Help With GDPR Processor Management?

Our team of data protection experts can guide your organization through the complexities of GDPR compliance

Schedule a Consultation Download GDPR Processor Guide