+44 (0) 121 582 0192 [email protected]


The General Data Protection Regulation (GDPR) introduced by the European Union (EU) has significantly impacted how organisations handle personal data. One critical aspect of GDPR is Article 28, which outlines data processors’ and controllers’ requirements to ensure compliance and protect individuals’ personal information. This article will delve into the key provisions of GDPR Article 28 and explore its implications for businesses.

Understanding GDPR Article 28:

  1. Controller and Processor Relationship:

GDPR Article 28 defines data controllers’ and processors’ roles and responsibilities. Data controllers determine the purposes and means of processing personal data, while data processors act on behalf of the controller. The article emphasises the need for a written contract that clearly outlines both parties’ specific requirements and obligations.

  1. Processor Obligations:

GDPR Article 28 places several obligations on data processors, including:

a. Data Processing only on Instructions: Processors must only process personal data as instructed by the data controller, ensuring it remains compliant with GDPR and adheres to the specified purposes.

b. Confidentiality: Processors are required to ensure the confidentiality of personal data and implement appropriate security measures to protect against unauthorized access, disclosure, or loss.

c. Engaging Sub-Processors: Processors must seek prior written consent from the controller before engaging sub-processors. If consent is granted, the processor remains fully liable for the sub-processor’s compliance with GDPR.

d. Data Breach Notification: Processors must promptly notify the controller in case of a personal data breach, enabling the controller to fulfill its obligations under GDPR.

  1. Controller Obligations:

GDPR Article 28 also outlines certain obligations for data controllers, such as:

a. Careful Selection of Processors: Controllers are responsible for carefully selecting processors who can provide sufficient guarantees regarding GDPR compliance and data protection.

b. Contractual Provisions: Controllers must ensure that contracts with processors include specific provisions as required by Article 28, outlining the purpose, duration, nature, and scope of data processing.

c. Monitoring Compliance: Controllers should monitor the processors’ activities to ensure compliance with GDPR. This includes regular assessments, audits, and maintaining relevant documentation.

Benefits of Compliance:

Complying with GDPR Article 28 provides numerous benefits for both data controllers and processors, including:

  1. Enhanced Data Security: By adhering to the requirements of Article 28, organizations can strengthen their data security measures, reducing the risk of data breaches and unauthorized access.
  2. Building Trust: Demonstrating compliance fosters trust between businesses and their customers. Compliant organizations are more likely to attract customers who prioritize data protection and privacy.
  3. Avoiding Penalties: Non-compliance with GDPR can result in severe penalties, including significant fines. Adhering to GDPR Article 28 helps organizations mitigate these risks and avoid legal consequences.
  4. Streamlined Data Processing: Clearly defined roles and obligations between controllers and processors lead to more efficient and effective data processing operations, benefiting the organization and individuals whose data is being processed.


Complying with GDPR Article 28 is crucial for organizations seeking to protect personal data and ensure legal and ethical data processing practices. By understanding the responsibilities of data controllers and processors and establishing robust contractual agreements, businesses can build trust with their customers, enhance data security, and avoid potential penalties. Prioritizing GDPR compliance not only safeguards individuals’ privacy but also demonstrates a commitment to responsible data handling in the digital era.