2025: A new ambition for MDS.   Discover our strategy and innovations soon. In the meantime, explore our vision

contact an expert
article 28 du RGPD

Article 28 of the GDPR

Article 28 of the GDPR

Article 28 of the GDPR: Data Processors

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that governs the collection, processing, and use of personal data. The GDPR came into force on May 25, 2018, and applies to all organizations that process personal data of individuals located in the EU, whether they are based in the EU or not.

Article 28 of the GDPR deals with data processors. A data processor is an entity that processes personal data on behalf of a data controller. The data controller is responsible for ensuring GDPR compliance for all the personal data it processes, including that processed by the data processor.

What is a Data Processor?

A data processor is an entity that processes personal data on behalf of a data controller. The data controller is responsible for ensuring GDPR compliance for all the personal data it processes, including that processed by the data processor.

For example, an online retail company may be responsible for processing the personal data of its customers, such as their name, address, and email address. The company may engage a data processor to host its website, process payments, or send emails to customers. In this case, the data processor will process personal data on behalf of the company, and the company will be responsible for ensuring GDPR compliance for this personal data.

The Obligations of the Data Processor

Article 28 of the GDPR requires the data controller to enter into a written contract with the data processor. This contract must define the obligations of the data processor regarding the protection of personal data. The contract must include, in particular, the following elements:

  • The purposes of the processing of personal data;
  • The nature of the personal data to be processed;
  • The duration of the processing;
  • The security measures taken by the data processor to protect personal data;
  • The rights of the data controller and the data subjects;
  • The procedures for notifying personal data breaches.

The data controller must also ensure that the data processor has the necessary human and technical resources to comply with the GDPR. The data controller must also be able to monitor the data processor to ensure that it meets its obligations regarding the protection of personal data.

The contract must also specify that the data processor is required to comply with the obligations of the GDPR and adhere to the data protection policies and procedures of the company.

The Consequences of Non-Compliance by the Data Processor

In the event that the data processor fails to comply with the GDPR, the data controller may be held liable. The data controller may also be required to pay damages to the data subjects.

Examples of Data Processors

Examples of data processors include:

  • Website hosting providers
  • Payment processors
  • Email service providers
  • Marketing agencies
  • Accounting firms
  • Lawyers
  • Consultants

How to Choose a Data Processor?

When choosing a data processor, it is important to consider the following elements:

  • The data processor’s experience in data protection;
  • The data processor’s security policies and procedures;
  • The data processor’s ability to comply with the GDPR;
  • The data processor’s references;
  • The cost of the data processor’s services.

In Brief

Article 28 of the GDPR is important because it ensures that personal data is protected when processed by a data processor. The data controller must take all necessary measures to ensure that the data processor meets its obligations regarding the protection of personal data.

The choice of a data processor is an important decision. It is essential to consider all the elements mentioned above to ensure that the chosen data processor complies with the GDPR and protects your company’s personal data.

In the event that the data processor fails to comply with the GDPR, the company may be held liable. The company may also be required to pay damages to the data subjects.

This example illustrates the importance of choosing a data processor that complies with the GDPR and has the necessary human and technical resources to protect personal data.

Related Articles
Hôtels et RGPD Garantir la confidentialité des clients
Hotels and GDPR: Ensuring guest privacy
Hotels and GDPR Key Compliance Steps
Hotels and GDPR : Key Compliance Steps
Share
GDPR advice
GDPR
outsourcing
GDPR software
Expertise
GDPR
ecosystem
DPO GDPR per city
GDPR support per city
Compliance in
your industry
Navigation
Legal Information
Newsletter

Subscribe to our newsletter to receive the latest news and updates.

Portraits de trois clients souriants
+ 400 customers have trusted us
Twitter Linkedin Youtube Facebook Instagram
logo-charte-de-deontologie-du-dpo

© Copyright 2025 | My Data Solution | All rights reserved | Legal notices
Made with ❤️ by Gonnected eClaud IT

GDPR advice
GDPR outsourcing
GDPR software
Expertise
GDPR ecosystem
DPO GDPR per city
GDPR support per city
Compliance in
your industry
Navigation
Legal Information
Newsletter

Subscribe to our newsletter to receive the latest news and updates.

Portraits de trois clients souriants
+ 400 customers have trusted us
Twitter Linkedin Youtube Facebook Instagram
logo-charte-de-deontologie-du-dpo

© Copyright 2025 | My Data Solution | All rights reserved | Legal notices
Made with ❤️ by Gonnected eClaud IT