🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Article 28 of the GDPR: Subcontractors

Home GDPR articles decrypted Article 28 of the GDPR: Subcontractors

Article 28 of the GDPR governs the relations between a data controller and a subcontractor who processes data on his behalf. It imposes strict contractual obligations to guarantee the conformity of the subcontracted processing.

Article 28 of the GDPR explained

The data controller may only use subcontractors offering sufficient guarantees in terms of data protection.

A written contract must frame the relationship and contain in particular:

  • The purpose, duration, nature and purpose of the processing;
  • The types of data and categories of persons concerned;
  • The obligations of the subcontractor, including confidentiality, security, assistance in the event of a request, restitution or deletion of data, auditability, etc.

Why is this article important for your GDPR compliance?

The data controllers remain fully responsible data, even in the case of subcontracting. The choice and monitoring of subcontractors are therefore crucial elements to guarantee the overall compliance of your organization.

How to comply with Article 28 of the GDPR?

  • Evaluate the guarantees provided by your subcontractors (certifications, documented practices...).
  • Conclude one GDPR subcontracting contract compliant.
  • Regularly follow subcontractor practices (audits, compliance reviews).
  • Ensure that no processing is carried out without the authorization of the controller.

Examples of application of Article 28 of the GDPR

  • A company entrusts the hosting of its data to a cloud provider: a GDPR subcontracting contract is signed.
  • An HR firm outsources payroll processing to a service provider: it checks security and confidentiality guarantees.
  • A company uses an outsourced CRM: it regulates processing through a specific clause in the contract.

Related Resources

Accelerate your compliance in just a few clicks

With our all-in-one solution, you can accelerate and ensure compliance easily:

  • Automate your compliance with our GDPR software
  • Supported or outsourced by our DPO experts
  • Raise awareness among your teams with our GDPR training e-learning

Request a demo with an expert

Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.

GDPR: Self-assess now

Other articles
on the same subject