Registora

Guide / GDPR

Updated 24 May 2026

GDPR Article 28, explained

GDPR Article 28 governs the relationship between a data controller and the processors it engages. It requires a written contract (a Data Processing Agreement) with specific mandatory terms, sets the rules for engaging subprocessors, and makes the processor accountable for the whole chain.

Key facts

  • 01Article 28 requires a written Data Processing Agreement (DPA) between a controller and any processor it engages.
  • 02The DPA must include the eight specific obligations listed in Article 28(3)(a)-(h), covering instructions, confidentiality, security, subprocessors, data-subject rights, compliance assistance, data return or deletion, and audits.
  • 03Processors must obtain the controller's prior authorisation - specific or general written - before engaging any subprocessor (Art. 28(2)).
  • 04Subprocessors must be bound by the same data-protection obligations as the processor, via a written contract (Art. 28(4)).
  • 05If a subprocessor fails to meet its obligations, the original processor remains fully liable to the controller.
§ I

What Article 28 covers

GDPR distinguishes between two roles in personal data processing. A controller decides the purposes and means of processing - broadly, the company whose product or service collects the data. A processorprocesses that data on the controller's behalf, under its instructions, without independent authority to use it for other ends.

Article 28 exists because the controller-processor split creates a risk: a controller could comply with GDPR in its own operations but then hand data to a processor that does not. Without binding obligations on the processor, data subjects would have no meaningful protection once their data left the controller's hands.

The article closes that gap by requiring a written contract - a Data Processing Agreement (DPA) - between every controller and every processor it engages. The contract must impose specific, enumerated obligations on the processor. It is not optional, and a generic confidentiality clause or terms-of-service reference is not a substitute.

Article 28 also extends the accountability chain down to subprocessors - the third parties a processor engages to help carry out its work. A cloud hosting provider, a payment processor, a transactional email service: each is a subprocessor if it touches personal data in the course of delivering the service. Read the full explainer on what a subprocessor is.

§ II

The mandatory DPA terms - Article 28(3)

Article 28(3) specifies what the contract between a controller and processor must contain. First, it must set out the subject matter, duration, nature and purpose of the processing, the type of personal data involved, and the categories of data subjects. These are the “processing parameters” - they define the scope of what the processor is authorised to do.

The contract must then impose the following eight obligations on the processor:

  • -(a) Process only on documented instructions. The processor shall process personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or international organisation, unless required to do so by Union or Member State law.
  • -(b) Confidentiality of authorised persons. The processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • -(c) Article 32 security measures. The processor shall take all measures required pursuant to Article 32 - the security of processing obligation - which requires appropriate technical and organisational measures proportionate to the risk, such as encryption and pseudonymisation.
  • -(d) Subprocessor conditions. The processor shall respect the conditions referred to in Articles 28(2) and 28(4) for engaging another processor - meaning subprocessors require controller authorisation and must be bound by equivalent obligations.
  • -(e) Data-subject rights.The processor shall assist the controller, taking into account the nature of the processing, in responding to requests for exercising data subjects' rights under Chapter III of the GDPR (access, rectification, erasure, portability, objection, and related rights).
  • -(f) Compliance assistance. The processor shall assist the controller in ensuring compliance with the obligations under Articles 32-36 - covering security of processing, notification of personal data breaches to the supervisory authority, communication of breaches to data subjects, data protection impact assessments, and prior consultation with supervisory authorities.
  • -(g) Deletion or return of data. At the choice of the controller, the processor shall delete or return all personal data to the controller after the end of the provision of services relating to processing, and shall delete existing copies unless Union or Member State law requires storage.
  • -(h) Audit and compliance information. The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28, and shall allow for and contribute to audits, including inspections, conducted by the controller or an auditor mandated by the controller.

These eight obligations are not negotiable. A DPA that omits or waters down any of them does not satisfy Article 28. Many processors use the European Commission's standard contractual clauses (SCCs), which embed these obligations, as a convenient baseline.

§ III

Subprocessors under Article 28

Article 28(2) addresses when and how a processor may bring in a subprocessor. The rule is straightforward: a processor shall not engage another processor without prior specific or general written authorisation from the controller.

Specific authorisation means the controller approves each subprocessor individually before engagement. This is rarely practical at scale. General written authorisation is the common commercial arrangement: the controller agrees in the DPA that the processor may use subprocessors, subject to two conditions - the processor must maintain a current subprocessor list, and must give the controller prior notice of any intended additions or replacements. The controller retains the right to object to any change before it takes effect.

Article 28(4) closes the accountability loop. Where a processor engages a subprocessor, the same data-protection obligations as set out in the processor-controller DPA must be imposed on that subprocessor, by way of a written contract. If the subprocessor fails to fulfil its data protection obligations, the original processor remains fully liable to the controller. You cannot transfer your compliance responsibility by subcontracting.

For a practical explanation of what constitutes a subprocessor and how to identify them in your stack, see What is a subprocessor?

§ IV

What this means in practice for a SaaS company

For a SaaS company acting as a processor on behalf of its B2B customers (the controllers), Article 28 creates four practical obligations:

  • -Sign DPAs with all vendors.Every third-party service that touches your customers' personal data - cloud infrastructure, email delivery, payments, analytics, AI APIs - needs a DPA in place. Most major providers supply one; keep copies and review them when your vendor relationships change.
  • -Publish and maintain a subprocessor list. Your customers (the controllers) need to know who you engage. A current, publicly accessible register satisfies the prior-notice requirement for general written authorisation arrangements. See the upstream providers Registora monitors.
  • -Notify customers of changes before they happen. Before adding or replacing a subprocessor, give customers the notice period specified in your DPA (commonly 10-30 days) so they can raise an objection. A change with no notice is a GDPR violation, not a minor oversight.
  • -Be ready to demonstrate compliance. Enterprise customers and procurement teams will ask for evidence - your subprocessor list, signed DPAs, security certifications, audit rights. This is the Article 28(3)(h) obligation materialised as a sales and procurement requirement. Audit your public register to check whether it is current and complete.
FAQ

Frequently asked questions

What must a DPA include under Article 28?
Article 28(3) requires the DPA to set out the subject matter, duration, nature and purpose of processing, the type of personal data involved, and the categories of data subjects. Beyond that framing, the contract must impose eight specific obligations on the processor: process only on documented instructions; ensure authorised persons are bound by confidentiality; implement the security measures required by Article 32; comply with the subprocessor rules in Articles 28(2) and (4); assist the controller with data-subject rights requests; assist with security, breach notification, and DPIA obligations; delete or return all personal data when services end; and provide information to demonstrate compliance, including audit access.
Do I need a DPA with every vendor I use?
You need a DPA with every vendor that processes personal data on your behalf - meaning any vendor acting under your instructions with data you are responsible for. This typically covers cloud hosting, transactional email, payment processors, analytics tools, customer support platforms, and AI APIs that receive user content. Vendors who determine their own purposes and means of processing are controllers in their own right and a DPA is not the right instrument - you would instead review their privacy policy and consider whether data sharing is lawful under another basis.
What is the difference between Article 28 and a standard NDA?
A non-disclosure agreement protects confidential information from being disclosed to third parties. A Data Processing Agreement under Article 28 is a legally mandated contract that governs how a processor handles personal data - covering lawful processing, security, subprocessors, data-subject rights, breach notification, and audit rights. The two instruments serve different purposes and one does not substitute for the other. Many vendors supply pre-signed DPAs as part of their terms of service; always check that the DPA explicitly covers the Article 28(3) terms rather than relying on a generic confidentiality clause.
Does Article 28 apply if my company is outside the EU?
It can. GDPR Article 3 has extraterritorial reach: if you process personal data of individuals located in the EU in connection with offering goods or services to them, or monitoring their behaviour within the EU, the regulation applies to you regardless of where your company is established. A SaaS company based in the US that serves EU customers is subject to GDPR, and Article 28 applies to all processors it engages. Companies without EU establishment may also need to appoint an EU representative under Article 27.
What are the penalties for non-compliance with Article 28?
Failures under Article 28 - such as processing without a DPA in place, engaging subprocessors without authorisation, or failing to implement Article 32 security measures - can attract administrative fines of up to 10 million euros or 2% of total worldwide annual turnover, whichever is higher, under Article 83(4)(a). More serious violations involving the basic principles of processing or data subjects' rights can reach 20 million euros or 4% of turnover. Supervisory authorities also have the power to issue reprimands, impose temporary or permanent bans on processing, and order data deletion.

This guide is general information only and does not constitute legal advice. For advice on your specific situation, consult a qualified legal professional.

Your turn

Keep your subprocessor register current - automatically.

Registora hosts your register on your own domain, monitors every upstream provider for changes daily, and drafts the customer notification when one updates.

Start your register →Audit your site