Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Page Overview
Related
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Recently generated comparisons
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Draft proposed changes: Regulation 2016/679/EU - General Data Protection Regulation (GDPR)
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 17th June 2026
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application

AI Summary of Article 28 Processor

This document outlines the responsibilities of data processors when handling personal data on behalf of data controllers, emphasising the necessity for sufficiency in technical and organisational safeguards to comply with data protection regulations.

It mandates that processors engage other processors only with prior written consent and ensure that the same data protection obligations are enforced in sub-processing agreements. Additionally, the contract should stipulate the measures for confidentiality, compliance, and audit transparency, reinforcing the processor's accountability and the necessity to safeguard data subjects' rights throughout the processing lifecycle.

PreviousNext
Version status: Applicable | Document consolidation status: Updated to reflect all known changes
Version date: 25 May 2018 - onwards
Version 3 of 3

Article 28 Processor

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

PreviousNext