GDPR Article 28 — Processor
Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
Every vendor who processes personal data on your behalf needs a Data Processing Agreement (DPA). You're responsible for your processors' compliance.
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation.
Processing by a processor shall be governed by a contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.