GDPR Article 28 addresses the outsourcing of data processing activities to service providers and outlines a legal framework for such cooperation, protecting the data subjects’ rights and ensuring compliance.
Processor
- Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
- The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
- Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
- (a) Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- (b) Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- (c) Takes all measures required pursuant to Article 32.
- (d) Respects the conditions referred to in paragraphs 2 and 4 for engaging another processor.
- (e) Taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III.
- (f) Assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor.
- (g) At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data.
- (h) Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.- Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
- Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
- Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
- The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
- A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
- The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
- Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.
Book a 30 minute chat with us and we’ll show you how
Processor
- Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
- The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
- Processing by a processor shall be governed by a contract or other legal act under domestic law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
- (a) Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by domestic law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- (b) Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- (c) Takes all measures required pursuant to Article 32.
- (d) Respects the conditions referred to in paragraphs 2 and 4 for engaging another processor.
- (e) Taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III.
- (f) Assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor.
- (g) At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless domestic law requires storage of the personal data.
- (h) Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other domestic law relating to data protection obligations.- Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under domestic law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
- Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
- Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraph 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
- The Commissioner may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article.
- The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
- Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.
GDPR Article 28 deals with 8 constituent areas, that govern how data processing activities may be outsourced to third party service providers:
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.
In this section we talk about GDPR Articles 28 (10), 28 (5) and 28 (6)
Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.
The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.
Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.
This includes:
In this section we talk about GDPR Articles 28 (3)(b), (1), (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (3)(g) and (3)(h)
When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.
In doing so, organisations should:
Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.
In this section we talk about GDPR Articles 28 (1), (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (3)(g) and (3)(h)
Organisations should conform to legal, statutory, regulatory and contractual requirements when:
Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.
Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.
When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:
Organisations need to outline the details of any joint PII processing arrangement, with an accompanying PII controller – this includes general protection measures and all associated security requirements.
Roles and responsibilities need to be clear and unambiguous, and outlined in a legally-binding document (sometimes called a ‘data sharing agreement’).
Agreements can include (among other measures):
In this section we talk about GDPR Articles 28 (3)(e) and 28 (3)(f) and 28 (9)
Customer contracts should include:
Book a tailored hands-on session
based on your needs and goals
Book your demo
Contracts should include SLAs relating to mutual objectives, and any associated time scales that they need to be completed within.
Organisations should acknowledge their right to choose the distinct methods that are used to process PII, that lawfully achieve what the customer is looking for, but without the need to obtain granular permissions on how the organisation goes about it on a technical level.
Organisations need to maintain a thorough working understanding of how instructions have the potential to conflict with applicable legislation or regulatory obligations.
Infringements usually occur surrounding three factors.
Organisations need to be able to provide their customers with sufficient information, so that that customers are able to fulfil their obligations at any given time.
The required information can incorporate a wide range of functions, but is usually related to internal audits, and the organisation’s role in facilitating them through the supply of information.
Controllers’ obligations are governed by three factors:
Contracts should include any information or technical operations that allow the organisation to fulfil its obligations as a controller.
There are various scenarios that require the disposal of PII, including (but not limited to):
Organisations need to provide categorical assurances that any PII which is no longer needed is going to be destroyed in accordance with any prevailing legislation or regional guidelines.
All disposal policies should be available to the customer on demand, and should cover the period of time that organisations have to destroy PII, once a contract has been terminated.
Organisations should draft a procedure that governs how PII principals are notified of legally-binding third party requests for their information, including a reasonable timeframe and a contractual stipulation that outlines the entire process.
Above all, organisations need to comply with the requests of law enforcement agencies, who have the right to request that the customer is not notified of any request, and ensure they don’t break any laws by accidentally or wilfully informing the customer of the situation.
Book a tailored hands-on session
based on your needs and goals
Book your demo
All provisions for the use of subcontractors should be listed as such within the SLA/customer contract.
Information on subcontractors should include:
NDAs should be drafted to disclose any information that would represent a heightened security risk if publicly exposed.
Organisations need to obtain written approval from their customers, prior to any PII being processed by a third party organisation.
Subcontractors should be subject a binding agreement (usually in the form of a written contract), which ensures that subcontractors understand their obligations towards implementing the controls listed in ISO 27701 Annex B.
Contracts should take into account various risk assessment processes (see ISO 27701 Clause 5.4.1.2), and the entire scope of the organisation’s PII processing operation (see ISO 27701 Clause 6.12). As above, all controls listed in Annex B should be adhered to, with any omissions listed, alongside the justifications for doing so.
Whenever the need arises to change the way that the organisation outsources any element of its PII processing operation, customers should be informed of the changes well in advance in order to give them time to question or object to said changes.
Contracts should include clauses that cater for written authorisation from the customer to go ahead with the change, before any PII is processed.
Organisations may also seek approval for changes within ad-hoc written agreements, outside of any contractual terms.
GDPR Article | ISO 27701 Clause | ISO 27002 Controls |
---|---|---|
EU GDPR Articles 28 (3)(b) to (3)(h) | 6.12.1.2 | 5.10 5.12 5.13 5.20 |
EU GDPR Articles 28 (1) to (3)(h) | 6.15.1.1 | 5.20 |
EU GDPR Articles 28 (3)(e) and 28 (9) | 7.2.6 | None |
EU GDPR Articles 28 (3)(e) to 28 (9) | 8.2.1 7.4 8.4 | None |
EU GDPR Article 28 (3)(a) | 8.2.2 | None |
EU GDPR Article 28 (3)(h) | 8.2.4 | None |
EU GDPR Article 28 (3)(h) | 8.2.5 | None |
EU GDPR Article 28 (3)(h) | 8.3.1 | None |
EU GDPR Article 28 (3)(g) | 8.4.2 | None |
EU GDPR Article 28 (3)(a) | 8.5.4 | None |
EU GDPR Articles 28 (2) and 28 (4) | 8.5.6 8.5.2 8.5.7 | None |
EU GDPR Articles 28 (2) and 28 (3)(d) | 8.5.7 5.4.1.2 6.12 | None |
EU GDPR Article 28 (2) | 8.4 | None |
Built to ISO 27701, aligned with other regulations.
With ISO 27701, you can create a Privacy Information Management System that complies with most privacy regulations. This includes the EU’s General Data Protection Regulation, BS 10012 and South Africa’s POPIA.
You can easily follow the international standard with our simplified, secure, and sustainable software.
The all-in-one platform we provide ensures your privacy work aligns with ISO 27701 and meets its requirements.
Find out more by booking a short 30 minute demo.
I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!