Article 28 GDPR
Processing entity

1. If the processing is to be carried out on behalf of the controller, the controller shall use only such processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and protects the rights of data subjects.

2. A processor shall not use another processor without the prior specific or general written consent of the administrator. In the case of general written consent, the processor shall inform the administrator of any intended changes regarding the addition or replacement of other processors, thereby giving the administrator the opportunity to object to such changes.

3. Processing by a processor shall be carried out on the basis of a contract or other legal instrument that is governed by Union law or the law of a Member State and binds the processor and the controller, specifies the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller. This contract or other legal instrument shall specifically provide that the processor:

(a) process personal data only at the documented request of the controller as regards the transfer of personal data to a third country or an international organisation unless such an obligation is imposed on the controller by Union law or by the law of a Member State to which the controller is subject; in such a case, before starting the processing, the controller shall inform the controller of that legal obligation, provided that this law does not prohibit the provision of such information in the interests of an important public interest;

(b) ensure that persons authorised to process personal data undertake to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality;

(c) take all measures required under Article 32;

(d) comply with the conditions of use of the services of another processor referred to in paragraphs 2 and 4;

(e) taking into account the nature of the processing, wherever possible, assist the controller, through appropriate technical and organisational measures, in fulfilling his obligation to respond to the data subject's requests for the exercise of his rights set out in Chapter III;

(f) taking into account the nature of the processing and the information available to it, assist the controller in fulfilling the obligations set out in Articles 32–36;

(g) upon termination of the provision of processing services, the controller shall, at the discretion of the controller, delete or return to the controller any personal data and delete any existing copies thereof, unless Union or Member State law requires the storage of personal data;

(h) provide the administrator with all information necessary to demonstrate compliance with the obligations set out in this Article and enable the administrator or the auditor authorised by the administrator to carry out audits, including inspections, and contribute to them.

In the context of the obligation laid down in point (h) of the first subparagraph, the controller shall immediately inform the controller if it considers that the order issued to it infringes this Regulation or other Union or Member State data protection rules.

4. If a processor uses another processor to perform specific processing activities on behalf of the controller, the same data protection obligations shall be imposed on that other processor under a contract or other legal act governed by Union law or the law of a Member State as in the contract or other legal act between the controller and the processor referred to in paragraph 3, in particular the obligation to provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of this Regulation. If this other processor fails to comply with its data protection obligations, the full liability to the controller for compliance with the obligations of this other processor shall rest with the original processor.

5. The processor may demonstrate the adequate safeguards referred to in paragraphs 1 and 4 of this Article, inter alia, by applying an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42.

6. Without prejudice to individual agreements between the controller and the processor, the contract or other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on the standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including where they form part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

7. The Commission may establish standard contractual clauses concerning the matters referred to in paragraphs 3 and 4 of this Article, in accordance with the examination procedure referred to in Article 93(2).

8. The supervisory authority may adopt standard contractual clauses concerning the matters referred to in paragraphs 3 and 4 of this Article, in accordance with the consistency mechanism referred to in Article 63.

9

*

The agreement or other legal instrument referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Without prejudice to Articles 82, 83, and 84, if a processor infringes this Regulation by determining the purposes and means of processing, it shall be considered a controller in respect of that processing.