Article 28 - General Data Protection Regulation Act

 

The General Data Protection Regulation Act (GDPR) requires Data Controllers to establish a written agreement with the Data Processor stating the terms and conditions for the data processing activity. So, before getting into a contract with the Data Processor, a Data Processing Agreement must be signed between both parties regarding the conduct of processing personal data.                                                     

The terms, conditions, and requirements of the Data Processing Agreement are specified in the GDPR Article 28. Article 28 of GDPR outlines the requirements and provides guidelines for Data Processors  highlighting their responsibilities towards ensuring the privacy and security of personal data.              Elaborating the requirement by Article 28 we have explained what is expected of the Data Processor to    ensure GDPR Compliance.                                                                                                                          

What is Article 28 of GDPR? 

GDPR Article 28 outlines requirements for Data Processor in terms of processing personal data. It further requires Data Processors to follow the documented instructions from the Data Controllers for processing the data. Under special circumstances as per the law or legal requirement, the Data Processor must notify the Data Controller of the legal requirement, before processing the data.

This requirement also applies to the transfer of personal data to a third country or international organization. Under any circumstance, the Data Processor must ensure they are authorized to process the data while meeting the security and privacy requirements of GDPR. The Data Processor must take all measures required as per Article 32 ensuring the Security of Processing Personal Data. That said, given below are the requirements that Data Processors are expected to meet, as specified in Article 28 of GDPR. 

Governance of Processing Activity

GDPR Article 28 paragraph 3 requires the Data Controller to establish and sign a contract with the Data Processor stating the duration of the processing, the nature, and purpose of the processing, the type of personal data to be processed and categories of data subjects, and the obligations and rights of the controller. The contract further includes-                                                                                                   

The requirement of conducting the data processing activity should be based on the documented instruction from the Data Controller.                                                                                          

The Data Processor should ensure access to the personal data to only those personnel committed to confidentiality or abide by the statutory obligation of confidentiality of data.                                     

Data Processors are expected to implement technical and organizational measures as outlined in Article  32 of GDPR.                                    

Data Processors will not engage with other Sub Data Processors without the prior consent of the Data Controller. 

In case the Data Processor hires a Sub-processor, the Sub Processor must flow through the obligations and ensure that the Data Processor’s obligations are enforced. 

The Data Processors are required to or rather expected to fulfill the Data Controller’s obligation to respond to the requests exercised by the data subject under the data subject’s rights in Chapter III. 

Data Processors are expected to assist Data Controllers in ensuring compliance with the obligations according to Articles 32 to 36 taking into account the nature of processing and the information available to the Data Processor.  This includes assistance in ensuring 

Article 32 GDPR–   Security of Processing                                                                                                      

               Article 33 GDPR – Notification of a Personal Data Breach to Supervisory Authority.                                               

Article 34 GDPR– Communication of a Personal Data Breach to the Data Subject                              

Article 35 GDPR – Data Protection Impact Assessment                                                                        

Article 36 GDPR – Prior Consultation with Supervisory Authority                                                      

On the advice of the Data Controller delete or return the personal data 

Provide the Data Controller with any information demonstrating the Data Processor’s compliance with GDPR and further allow contributing to audits, including inspections, conducted by the controller or another auditor mandated by the Data Controller.                                                                                 

Data Processor Considered as Data Controller

In case where the Data Processor determines the purpose of Data Processing, the Data Processor shall be considered as a Data Controller with regards to that processing activity without prejudice to Article 82, Article 83 & Article 84 of GDPR.

(Source – EUR-Lex)

For more details on GDPR Regulation or any queries, you can contact us or drop us a mail at info@vistainfosec.com. You can even read our other articles, webinars, and expert videos explaining the GDPR Regulation in detail and ways to achieve compliance. For guidance and consultation relating to the GDPR Compliance you can avail our FREE ONE SESSION OF CONSULTATION WITH OUR EXPERTS!