GDPR Article 28: Processor

All 99 Articles Chapter 4: Controller and Processor

Whenever a processor handles data on your behalf, a written contract with specific mandatory terms (a Data Processing Agreement) must be in place. Processors have direct obligations too.

Key points

Use only processors giving sufficient guarantees.
A contract must set out subject-matter, duration, instructions, confidentiality, security and sub-processing.

Read the official text on EUR-Lex

29Processing under the authority of controller or processor 32Security of processing 4Definitions 26Joint controllers 30Records of processing activities 40–43Codes of conduct and certification

Practical guidance

The GDPR Compliance Checklist for 2026: A Practical 12-Step Guide

These summaries are a plain-English orientation only and are not a substitute for the official text of the Regulation or for legal advice.

Need to apply Article 28?

Our data-protection lawyers turn the text into a plan.

Talk to a lawyer

Back to all articles

Article 28 — Processor

Key points

Related articles