Mandatory Article 28(3) contract terms
Processing by a processor must be governed by a written contract (or other binding legal act). Article 28(3) sets out the mandatory terms. From the controller's point of view these should be as explicit as possible. The core terms: process only on documented instructions; ensure confidentiality; implement appropriate security (Article 32); respect sub-processor authorisation rules; assist the controller with data-subject rights and Articles 32–36; at the controller's choice delete or return all data at the end; make available all information to demonstrate compliance; and allow for and contribute to audits.
Processing by a processor must be governed by a written contract or other binding legal act. Article 28(3) lists the mandatory terms. The strength of bargaining power affects wording, but from the controller's side the obligations should be as explicit as possible.
| # | Term | What it requires |
|---|---|---|
| 1 | Documented instructions | Process personal data only on the controller's documented instructions, including for international transfers, unless required by EU/member state law (then inform the controller first, unless that law prohibits it) |
| 2 | Confidentiality | Ensure persons authorised to process are committed to confidentiality or under a statutory duty of confidentiality |
| 3 | Security (Art 32) | Take all appropriate technical and organisational security measures |
| 4 | Sub-processor authorisation | Respect the Art 28(2)/(4) conditions for engaging sub-processors (prior authorisation, flow-down, liability) |
| 5 | Assist with data-subject rights | Help the controller respond to individuals exercising their rights, by appropriate technical and organisational measures, insofar as possible |
| 6 | Assist with Arts 32–36 | Assist the controller in meeting security, breach notification, DPIA and prior-consultation obligations, given the nature of processing and information available |
| 7 | Deletion or return | At the controller's choice, delete or return all personal data at the end of services and delete existing copies, unless EU/member state law requires storage |
| 8 | Demonstrate compliance | Make available all information needed to demonstrate compliance with Article 28 |
| 9 | Audits | Allow for and contribute to audits by the controller or an appointed auditor |
Article 28(3) terms: Instructions, Confidentiality, Security, Sub-processors, Assist (rights), Assist (Arts 32–36), Delete/Return, Demonstrate compliance, Audits.
Two related practical clauses: employee vetting (ensuring the reliability and training of employees and subcontractor personnel and that they treat the data as confidential), and reliance on the supplier's skill and knowledge to decide what security is 'appropriate' to the harm and to the nature of the data, having regard to the state of technological development and cost of implementing the measures.