Article 28

Article 28 of the GDPR focuses on a written contract between two parties in cases when a data controller uses a data processor to process personal data on their behalf.

When is a contract needed? - what to know about Article 28 of the GDPR

Whenever a data controller uses a data processor to process personal data on their behalf, a written contract between the parties must be in place.

Similarly, suppose a processor uses another organisation (i.e., a subprocessor) to help it process personal data for a controller. It needs to have a written contract in place with that subprocessor.

If your company uses a third party vendor to help you, such as a payroll system, a CRM system, etc., that third party will be processing data on your behalf as a processor (you are then a data controller).

While the processor has obligations, you, as the data controller, have the responsibility for the personal data. In other words, you are legally required to have a contract in place that defines the roles and obligations when you share personal data with your vendors.

It is an essential part of Article 28 that controllers only use processors that can sufficiently guarantee that the processing meets the requirements of the GDPR. By having a contract in place with the required terms, you ensure that your vendors comply with the GDPR, that the personal data of your customers, users, and staff is protected, and that both parties are clear about their roles and obligations.

What is the difference between a data controller and a data processor?

In short, the data controller is the company that dictates why and how personal data is used. The data processor is the third party that processes personal data on behalf of the controller.

Examples of controllers & processors:

An online design store uses a marketing company to send promotional vouchers to customers. The design store will be the data controller, and the marketing company is the data processor.

A software company uses a cloud service to store and analyse its data. The software company is the data controller, and the cloud service provider is the processor.

See our dictionary if you want to learn more about the different roles of the data controller and data processor.

The contract between a controller and processor is called a data processing agreement (DPA). Both the Danish Data Protection Agency and European Commission have made templates that you can use for your DPA. The template made by the Danish Data Protection Agency and the template made by the European Commission are both available online.

Joint controllers

Not all third parties are data processors. In cases where the third party processes personal data for their own purposes, the third party is also considered a controller. An example could be the Facebook "Like" widget, a website operator that embeds Facebook's "Like" widget on its website is considered a joint data controller with Facebook.

Joint controllers are regulated by Article 26 of the GDPR. They are not required to have a contract in place, but they must determine their respective responsibilities. However, each controller remains responsible for complying with all the obligations of controllers under the GDPR.


A hotel and a car rental company decide to set up an online platform. They agree on what data is stored and who can access the information. Furthermore, they choose to share their customers' data to conduct marketing actions. In this case, the parties will have joint control over how the personal data of their respective customers are processed and will therefore be joint controllers regarding processing that relates to the platform.

What is important here is that both parties jointly determine the purposes and means of the processing.

What to look for in a DPA?

The contract between a controller and its processor must set out the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data, categories of data subjects, and the controller's obligations and rights.

As an example, the Openli DPA states: "Openli is instructed to process the personal data only for the purposes of providing the data processing services set out in Annex 1. Openli may not process or use the controller's personal data for any other purpose than provided in the instructions."

Read the Openli data processing agreement in full.

Article 28 sets out specific terms that always need to be included in a Data Processing Agreement:

  • Processing only on the documented instructions of the controller.
  • Duty of confidence.
  • Appropriate security measures.
  • Using subprocessors.
  • Data subjects’ rights.
  • Assisting the controller.
  • End-of-contract provisions.
  • Audits and inspections.

Below is a short description of each specific term. These terms are the minimum required, but the controller and processor may agree to supplement with their own terms and conditions. You can read the full text of Article 28 of the GDPR on the official European Union website.

Processing only on the documented instructions of the controller

When you act as a data controller, it is essential from the outset to give clear instructions to the third party that is processing data on your behalf. It should be clear from the data processing agreement that you, as the controller, have overall control of what happens to the personal data. Suppose a vendor that processes data on your behalf acts outside of your instruction. That vendor would then be considered a controller regarding that processing and have the same liability as a controller.

Duty of confidence

The processor must obtain a commitment of confidentiality from anyone it allows to process the personal data unless that person is already under such a duty by statute; this covers both the vendor's employees and any temporary workers and agency workers who have access to the personal data.

Appropriate security measures

You must only use vendors that can provide sufficient guarantees that their processing activities will meet the requirements of the GDPR. Both controllers and processors are obliged under Article 32 to put in place appropriate technical and organisational measures to ensure the security of any personal data they process.

Using subprocessors

The vendor must not use other processors (so-called subprocessors) without the permission of the data controller. Suppose the vendor engages the services of a subprocessor on behalf of the controller. In that case, the binding agreement and data protection standards set between the controller and the vendor will also apply to the subprocessor. If the subprocessor fails to meet these obligations, the initial vendor will remain liable to the controller.

Data subjects’ rights

The vendor must commit to assist the controller in fulfilling the controller's obligations regarding subject data rights (the right to information, right to deletion, etc.). If you are a processor, you must have measures to deal with such requests from clients or users.

Assisting the controller

The vendor must assist the controller in meeting its obligations to:

  • keep personal data secure;
  • notify personal data breaches to the data protection authority;
  • report personal data breaches to data subjects;
  • carry out data protection impact assessments (DPIAs) when required.

End-of-contract provisions

The agreement must include terms to ensure the continuing protection of the personal data after the agreement ends; this reflects that it is ultimately for the controller to decide what should happen to the personal data once processing is complete. The controller could decide to have the vendor delete all personal data or return the personal data to the controller.

Audits and inspections

This provision obliges the processor to demonstrate compliance with the whole of Article 28 to the controller. The processor can give the necessary information to the controller or submit to an audit or inspection.

Do I need a Data Processing Agreement?

If you share personal data with a third-party vendor, you need a data processing agreement. Some popular processors like Salesforce and AWS have data processing agreements as a part of their terms of conditions. However, if the vendor does not provide an agreement, you will need to provide one yourself. As part of our privacy hub, we offer you our DPA tool, where you can create your own customised data processing agreement that includes the data processors you use.

Learn more about Privacy Hub →