Article 28 of the General Data Protection Regulation (GDPR) outlines the obligations of data processors in relation to the processing of personal data on behalf of a data controller.
Specifically, Article 28 GDPR requires that data processors:
Process personal data only on the documented instructions of the data controller, unless required to do so by law.
Ensure that all personnel authorized to process personal data are bound by confidentiality obligations.
Implement appropriate technical and organizational measures to ensure the security of personal data.
Engage only subprocessors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR.
Assist the data controller in ensuring compliance with the GDPR's obligations, such as data subject rights, security, data breaches, and data protection impact assessments.
At the choice of the data controller, delete or return all personal data at the end of the processing services, unless required to keep the data by law.
Make available to the data controller all information necessary to demonstrate compliance with the GDPR and allow for audits by the controller or an auditor appointed by the controller.
Overall, Article 28 GDPR aims to ensure that data processors act in a responsible and transparent manner when processing personal data on behalf of data controllers.
nones
