The Processor and the Article 28 Contract
A processor is a separate legal entity that processes personal data on behalf of a controller. Two building blocks: (1) separate legal entity, (2) processes on the controller's behalf. A department cannot be a processor for another department in the same company, and direct employees/temps of the controller are not processors (they act under Article 29 on instructions). Article 28 requires a written contract with mandatory terms: process only on documented instructions, confidentiality, Article 32 security, sub-processor conditions, assist with data subject rights and Articles 32–36, delete or return data at the end, and allow audits. Sub-processors need the controller's prior authorisation; the initial processor stays fully liable for them.
| Requirement | Counts as a processor? |
|---|---|
| A separate legal entity processing on the controller's behalf (e.g. a group subsidiary) | Yes |
| A department processing for another department in the same company | No - not a separate legal entity |
| A temporary employee / individual under the controller's direct authority | No - part of the controller's own organisation (governed by Article 29) |
| A service provider that determines the purposes / essential means | No - it becomes a controller (Art 28(10)) |
- The Article 28 contract must be in writing and set out the nature and purpose of processing, the type of personal data and categories of data subjects.
- Mandatory processor commitments: process only on documented instructions; ensure confidentiality; apply Article 32 security; respect sub-processor conditions; assist with data subject rights and with Articles 32–36 (security, DPIAs, breach notification); at the controller's choice delete or return all data at the end; and allow and contribute to audits/inspections.
- Both controller and processor are responsible for ensuring a contract exists - a processor should not stay silent if a proposed contract omits Article 28 terms.
- A processor may not engage a sub-processor without the controller's prior authorisation (general or specific); with general authorisation, the controller must get a chance to object.
- The initial processor remains fully liable to the controller for its sub-processors' performance.
- A service provider drafting the contract terms does not, by itself, make it a controller.
A processor must be a separate legal entity. So a department cannot be a processor for another department in the same company, and a controller's own temps/employees are not processors - they are covered by Article 29 (process only on instructions). A subsidiary in a group, however, can be a processor for another group company.