GDPR Article 28 Explained: Processor Obligations, Contracts, and 5 Practical Examples

Dec 18, 2025

The General Data Protection Regulation (GDPR) fundamentally changed how organizations handle personal data within the European Union and beyond. While many discussions focus on data controllers, GDPR Article 28 places equally important obligations on data processors—companies and individuals that process personal data on behalf of a controller.

Article 28 is one of the most practical and frequently applied provisions of the GDPR. It governs how controllers must select processors, what contractual safeguards are mandatory, and what operational standards processors must follow. Failure to comply can expose both parties to regulatory fines, contractual disputes, and reputational damage.

What Is GDPR Article 28?

GDPR Article 28 regulates the relationship between data controllers and data processors. It ensures that personal data is only processed by processors that provide sufficient guarantees of GDPR compliance and that such processing is governed by a legally binding contract or legal act.

In simple terms, Article 28 answers three critical questions:

  1. Who can process personal data on behalf of a controller?
  2. Under what conditions is processing allowed?
  3. What must be included in a controller–processor agreement?

The goal is accountability. Controllers remain legally responsible for the personal data they collect, even when processing is outsourced. Article 28 ensures processors cannot act independently or irresponsibly with personal data.

Who Is a Data Processor Under the GDPR?

A data processor is any natural or legal person that processes personal data on behalf of a data controller. Processors do not determine the purpose or means of processing; they act strictly under instructions.

Common examples of processors include:

  • Cloud hosting providers
  • Payroll service providers
  • Email marketing platforms
  • CRM and analytics providers
  • Customer support outsourcing companies
  • Payment processing services

If a service provider decides how and why data is processed, it may be considered a controller or joint controller, not a processor. Article 28 applies only when the controller–processor relationship is clearly defined.

The Core Purpose of Article 28

Article 28 exists to prevent uncontrolled data sharing and misuse when controllers rely on third parties. Without strict rules, controllers could outsource processing to insecure or non-compliant vendors, putting individuals’ rights at risk.

Article 28 ensures:

  • Processors meet high data protection standards
  • Processing is limited to the controller’s instructions
  • Security, confidentiality, and accountability are enforced
  • Sub-processors are properly regulated
  • Controllers can demonstrate GDPR compliance

Obligation to Use Only Compliant Processors

Under Article 28(1), controllers may only engage processors that provide sufficient guarantees to implement appropriate technical and organizational measures.

This means controllers must conduct due diligence before selecting a processor. This often includes:

  • Reviewing security certifications
  • Assessing privacy policies and internal controls
  • Verifying GDPR compliance practices
  • Evaluating breach response procedures

Choosing a cheap or convenient processor without proper safeguards is a violation of GDPR.

Mandatory Processor Contracts Under Article 28(3)

One of the most critical aspects of Article 28 is the requirement for a binding contract between the controller and the processor.

This contract must be in writing (including electronic form) and must clearly define the processing relationship.

Required Contractual Elements

Article 28(3) requires the contract to include, at minimum:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data involved
  • Categories of data subjects
  • Obligations and rights of the controller

Additionally, the contract must obligate the processor to:

  • Process data only on documented instructions from the controller
  • Ensure confidentiality of authorized personnel
  • Implement appropriate security measures
  • Assist the controller with data subject rights
  • Assist with breach notifications and impact assessments
  • Delete or return personal data after termination
  • Make compliance information available for audits

A generic service agreement is not enough. A Data Processing Agreement (DPA) or equivalent clause is mandatory.

Processor Responsibilities Under Article 28

Article 28 does not merely impose obligations through contracts—it creates direct legal duties for processors.

Processors must:

  • Act only on the controller’s instructions
  • Implement GDPR-level security
  • Keep records of processing activities
  • Cooperate with supervisory authorities
  • Notify controllers of breaches without undue delay
  • Not engage sub-processors without authorization

Processors can be fined directly under the GDPR if they fail to comply, even if the controller is also at fault.

Sub-Processors and Article 28(2)–(4)

Processors often rely on other vendors, known as sub-processors. Article 28 strictly regulates this practice.

Processors may not engage sub-processors without:

  • Prior written authorization from the controller, or
  • General authorization with the right for the controller to object

Sub-processors must be bound by the same data protection obligations as the main processor. If a sub-processor violates the GDPR, the main processor remains fully liable to the controller.

This ensures a consistent chain of accountability throughout the data processing ecosystem.

International Data Transfers and Article 28

While Article 28 does not directly regulate international transfers, it plays a key role when processors or sub-processors operate outside the EU.

If processing involves non-EU vendors, the controller–processor contract must align with:

  • Adequacy decisions
  • Standard Contractual Clauses
  • Other lawful transfer mechanisms

Failing to address international transfers within the Article 28 framework can expose organizations to serious compliance risks.

Audits and Accountability

Article 28 requires processors to make available all information necessary to demonstrate compliance and to allow audits, including inspections conducted by the controller or an appointed auditor.

This does not mean controllers can demand unrestricted access at any time. Audit rights must be reasonable, proportionate, and aligned with contractual terms. However, refusing audits altogether is not allowed.

Penalties for Non-Compliance

Violations of Article 28 can result in administrative fines of up to:

  • €10 million, or
  • 2% of global annual turnover

Regulators frequently investigate Article 28 breaches because they are easy to identify and often systemic, such as missing DPAs or unlawful sub-processing.

5 Practical Examples of GDPR Article 28 in Action

Example 1: E-Commerce Store Using a Cloud Hosting Provider

An online store collects customer data for orders and payments. It uses a cloud hosting provider to store its database.

The store is the data controller. The hosting provider is the data processor.

To comply with Article 28:

  • The store verifies the provider’s security measures
  • A written data processing agreement is signed
  • The contract limits processing to hosting purposes only
  • Sub-processors (data centers) are disclosed and authorized
  • The provider commits to data deletion upon contract termination

Without this agreement, the store would be violating GDPR, even if no breach occurred.

Example 2: Marketing Agency Running Email Campaigns

A marketing agency runs email campaigns for a client using customer mailing lists provided by the client.

The client is the controller. The agency is the processor.

Under Article 28:

  • The agency may only send emails according to client instructions
  • It cannot reuse email addresses for its own purposes
  • Staff handling the data must be bound by confidentiality
  • The agency must assist with unsubscribe requests
  • Upon campaign completion, the data must be returned or deleted

If the agency uses the data to promote its own services, it becomes a controller and violates Article 28.

Example 3: Payroll Provider Processing Employee Data

A company outsources payroll processing to a third-party provider.

Employee data includes names, bank details, salaries, and tax information—highly sensitive personal data.

Article 28 requires:

  • A detailed processing agreement defining payroll purposes
  • Strong encryption and access controls
  • Immediate breach notification obligations
  • Restrictions on subcontracting accounting services
  • Data deletion once the contract ends

If the payroll provider processes data for analytics or benchmarking without permission, it breaches Article 28.

Example 4: SaaS CRM Platform With Sub-Processors

A business uses a SaaS CRM platform to manage customer relationships.

The CRM provider is a processor and relies on sub-processors for hosting, analytics, and customer support.

To comply with Article 28:

  • The controller authorizes sub-processors
  • The CRM provider flows down GDPR obligations
  • The controller is informed of sub-processor changes
  • Security measures apply across all vendors

Failure to disclose a new sub-processor would violate Article 28, even if no data breach occurs.

Example 5: Outsourced Customer Support Center

A company outsources customer support to a call center that accesses customer accounts.

The call center processes personal data on behalf of the company.

Article 28 compliance includes:

  • A contract limiting access to support functions only
  • Confidentiality agreements for agents
  • Logging and monitoring of data access
  • Clear instructions on handling data subject requests
  • Secure deletion after the service ends

If agents copy customer data for training outside the contract scope, the processor violates Article 28.

Common Article 28 Mistakes to Avoid

Organizations frequently fail to comply due to:

  • Missing or outdated data processing agreements
  • Vague contractual language
  • Unapproved sub-processors
  • Lack of audit rights
  • Processors acting beyond instructions

These mistakes are often discovered during audits or after data breaches, when it is already too late.

How Article 28 Fits Into Overall GDPR Compliance

Article 28 works closely with:

  • Article 5 (data protection principles)
  • Article 24 (controller responsibility)
  • Article 30 (records of processing)
  • Article 32 (security of processing)
  • Article 33 (breach notification)

Together, these provisions create a framework of shared responsibility between controllers and processors.

Final Thoughts

GDPR Article 28 is not a formality—it is a cornerstone of lawful data processing. It ensures that outsourcing does not mean losing control over personal data and that individuals’ rights remain protected regardless of how many vendors are involved.

For controllers, Article 28 demands careful vendor selection and contractual discipline. For processors, it establishes direct legal responsibility and accountability.