Have you ever used an email service to process someone’s personal data?
Or maybe you’re more the direct messaging app type of person.
Or perhaps you use Facebook or Instagram.
In any case, congrats: knowingly or not, you have been partnering with a Data Processor.
And if the GDPR applies to you, you might want to keep reading to find out what Article 28 has to say about it.
Article 28 GDPR: Definition of Data Processor
Article 4(8) GDPR defines the Data Processor as «a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.»
As we’ve seen discussing the material scope of the GDPR, under the Regulation the notion of “processing” covers pretty much any operation that can possibly be performed on personal data.
Consequently, every time an entity “does something” on personal data (other than yours) on your behalf (even if it’s just a very menial task), you’re using a Data Processor.
So if you believed only big companies specializing in data processing could count as Data Processors, think again. When you use emails for professional reasons, for instance, your service provider acts as a data processor (and that might be a problem).
As the Handbook on European data protection law clarifies, an entity can act both as Data Controller and Data Processor.
Nevertheless, there is a difference between the two roles: the powers and obligations of a Data Processor differ from those of a Controller.
And that’s where article 28 comes into play.
Article 28 GDPR: Relationship Between Controller and Processor
Article 28 designs a pretty comprehensive and detailed framework.
Before we go into details, let’s focus on the two main ideas underpinning the whole norm.
Idea n.1: Data Processors Must Offer Adequate Guarantees
The GDPR was designed to protect personal data. That’s the whole point of the Regulation; and that’s why Data Controllers are required to comply with several (admittedly, somewhat annoying) provisions.
If Controllers were allowed to outsource the processing to whichever entity they liked and call it a day, personal data could be at risk. Therefore, the GDPR makes sure that’s not possible.
As Article 28(1) clearly states,
«Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.»
It’s up to the Controller to ensure the Processor meets the required standards.
So if you are a Data Controller and have someone else processing personal data on your behalf, you are legally obligated to ensure this entity complies with the GDPR. Because if it doesn’t, you are in trouble.
Idea n.2: Data Processors Have to Follow the Controller’s Instructions
Although the Data Processor might be the one actually carrying out the processing, the GDPR makes it clear that the initiative continues to lie with the Data Controller.
According to article 28(3)(a), Processors must process personal data only on documented instructions from the Controller. Article 29 GDPR further reinforces this notion.
The takeaway is clear: Data Controllers retain the right (and the onus) to determine the purpose and means of the processing, while Data Processors should limit themselves to following the Controller’s directions.
Even when Controllers delegate the power to determine the means of processing, they must retain (and exercise) a degree of control over the Processor’s decisions.
Article 28(10) adds that if Processors overstep this boundary by autonomously determining the purposes and means of the processing, they will be considered Data Controllers and treated as such.
Article 28(3) The Contract Between Controller and Processor
According to Article 28(3), all processing activities carried out by a processor must be governed by either a contract or another act that’s binding under EU or Member State law.
(For the sake of simplicity we’ll refer to this act as “contract.” But keep in mind that as long as we’re dealing with a binding act, its name doesn’t matter).
Article 28(9) states that the contract must be in writing, and electronic form is allowed. But the provision doesn’t just regulate the form of the contract. It lists several clauses it must contain to be GDPR-compliant.
Specifically, the parties must lay down:
- The subject matter of the processing (what is the processing about?);
- Its duration (how long will it last?);
- Its nature and purpose;
- The type of personal data concerned (is it “regular” personal data that’s going to be processed? Or are we dealing with special categories of personal data?);
- The categories of data subjects affected;
- The obligations and rights of the Controller.
And that’s just the beginning. Article 28(3) goes on to stress that the contract must stipulate that:
- The Processor undertakes to act only when instructed by the Controller. The Processor, in particular, cannot transfer personal data without the Controller’s approval (unless they’re required to do so by EU or Member State law, in which case they shall inform the Controller);
- The person(s) who’ll physically process the data will commit themselves to confidentiality;
- The Processor will take all necessary measures to ensure the security of the processing, as per Article 30, GDPR;
- The Processor will respect the conditions set forth by Article 28(2) and 28(4) when engaging another processor;
- The Processor will assist the Controller in ensuring the respect of the Data Subject’s rights;
- The Processor will assist the Controller in fulfilling their obligations related to the security of processing, data breaches, and the data protection impact assessment;
- After completing the service, the Processor will delete the personal data or return it to the Controller if the latter requires them to do so.
- The Processor will make available to the Controller all the information required to demonstrate compliance with Article 28.
So yeah: you should sign a contract including all these clauses every time you have an entity process personal data on your behalf. Failing to do so means you’re violating the GDPR.
The good news is that some service providers (not all) are fully aware of this obligation and offer Data Protection Agreements to their customers.
The bad news is that you’ll have zero chance to negotiate these contracts: as we’ve seen talking about Gmail, it’s a “take it or leave it” kind of scenario.
Article 28 GDPR: Sub-processors
As we’ve seen, outsourcing is one of the aspects the contract between Controller and Processor should cover.
Outsourcing is permitted but strictly regulated. Said otherwise, the Data Processor can have a third party process personal data on the Controller’s behalf only when two sets of conditions are met.
First, the Processor cannot engage a sub-processor without the Controller’s authorization. This requirement is spelled out by Article 28(2), stating that:
«The Processor shall not engage another processor without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.»
Secondly, Article 28(4) clarifies that Processor and sub-processor must sign a contract mirroring the one in force between Processor and Controller. Needless to say, the sub-processor must offer the same level of guarantees required of the Data Controlled and Data Processor.
If the sub-processor fails to fulfill those obligations, the original Data Processor remains fully liable to the Controller.
Article 28 GDPR: The Takeaway
Data Processors are not just for big companies. Almost every Data Controller partners with one at some point – even though they might not realize it.
For Data Controllers, it’s critical to choose a Processor ensuring compliance with the requirements laid out in Article 28, GDPR.
Granted, that’s not always an easy task. Some companies don’t offer Data Processing Agreements. Others don’t allow their clients to negotiate specific clauses. This imbalance is a problem: the GDPR envisions a system in which the Processor only acts on the Controller’s input, and that’s not what happens in these cases.
But acknowledging the difficulty doesn’t mean Controllers should give up entirely.
Many companies offer comprehensive and fully compliant Data Processing Agreements. It’s worth checking them out.