Navegaci贸n
RGPD > Art铆culo聽28. Encargado del tratamiento
Descargar PDF

Art铆culo聽28 RGPD. Encargado del tratamiento

Article 28 GDPR. Processor

1. Cuando se vaya a realizar un tratamiento por cuenta de un responsable del tratamiento, este elegir谩 煤nicamente un encargado que ofrezca garant铆as suficientes para aplicar medidas t茅cnicas y organizativas apropiados, de manera que el tratamiento sea conforme con los requisitos del presente Reglamento y garantice la protecci贸n de los derechos del interesado.

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. El encargado del tratamiento no recurrir谩 a otro encargado sin la autorizaci贸n previa por escrito, espec铆fica o general, del responsable. En este 煤ltimo caso, el encargado informar谩 al responsable de cualquier cambio previsto en la incorporaci贸n o sustituci贸n de otros encargados, dando as铆 al responsable la oportunidad de oponerse a dichos cambios.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraphs to article 28(2) GDPR:

8.5.6 Disclosure of subcontractors used to process PII

Control

The organization should disclose any use of subcontractors to process PII to the customer before use.

Implementation guidance

Provisions for the use of subcontractors to process PII should be included in the customer contract.


para acceder al texto completo

3. El tratamiento por el encargado se regir谩 por un contrato u otro acto jur铆dico con arreglo al Derecho de la Uni贸n o de los Estados miembros, que vincule al encargado respecto del responsable y establezca el objeto, la duraci贸n, la naturaleza y la finalidad del tratamiento, el tipo de datos personales y categor铆as de interesados, y las obligaciones y derechos del responsable. Dicho contrato o acto jur铆dico estipular谩, en particular, que el encargado:

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member聽State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

a) tratar谩 los datos personales 煤nicamente siguiendo instrucciones documentadas del responsable, inclusive con respecto a las transferencias de datos personales a un tercer pa铆s o una organizaci贸n internacional, salvo que est茅 obligado a ello en virtud del Derecho de la Uni贸n o de los Estados miembros que se aplique al encargado; en tal caso, el encargado informar谩 al responsable de esa exigencia legal previa al tratamiento, salvo que tal Derecho lo proh铆ba por razones importantes de inter茅s p煤blico;

(a)聽processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member聽State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 28(3)(a) GDPR:

8.2.2 Organization鈥檚 purposes

Control

The organization should ensure that PII processed on behalf of a customer are only processed for the purposes expressed in the documented instructions of the customer.

Implementation guidance

The contract between the organization and the customer should include, but not be limited to, the objective and time frame to be achieved by the service.


para acceder al texto completo

b) garantizar谩 que las personas autorizadas para tratar datos personales se hayan comprometido a respetar la confidencialidad o est茅n sujetas a una obligaci贸n de confidencialidad de naturaleza estatutaria;

(b)聽ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 13.2.4.

Here is the relevant paragraph to article 28(3)(b) GDPR:

6.10.2.4 Confidentiality or non-disclosure agreements

Implementation guidance

The organization should ensure that individuals operating under its control with access to PII are subject to a confidentiality obligation. The confidentiality agreement, whether part of a contract or separate, should specify the length of time the obligations should be adhered to.


para acceder al texto completo

c) tomar谩 todas las medidas necesarias de conformidad con el art铆culo聽32;

(c)聽takes all measures required pursuant to Article 32;

Textos enlazados

d) respetar谩 las condiciones indicadas en los apartados聽2 y聽4 para recurrir a otro encargado del tratamiento;

(d)聽respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 28(3)(d) GDPR:

8.5.7 Engagement of a subcontractor to process PII

Control

The organization should only engage a subcontractor to process PII according to the customer contract.

Implementation guidance

Where the organization subcontracts some or all of the processing of that PII to another organization, a written authorization from the customer is required prior to the PII processed by the subcontractor. This can be in the form of appropriate clauses in the customer contract, or can be a specific 芦one-off禄 agreement.

 


para acceder al texto completo

e) asistir谩 al responsable, teniendo cuenta la naturaleza del tratamiento, a trav茅s de medidas t茅cnicas y organizativas apropiadas, siempre que sea posible, para que este pueda cumplir con su obligaci贸n de responder a las solicitudes que tengan por objeto el ejercicio de los derechos de los interesados establecidos en el cap铆tulo聽III;

(e)聽taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 28(3)(e) GDPR:

8.3.1 Obligations to PII principals

Control

The organization should provide the customer with the means to comply with its obligations related to PII principals.

Implementation guidance

A PII controller’s obligations can be defined by legislation, by regulation and/or by contract. These obligations can include matters where the customer uses the services of the organization for implementation of these obligations.


para acceder al texto completo

f) ayudar谩 al responsable a garantizar el cumplimiento de las obligaciones establecidas en los art铆culos聽32 a聽36, teniendo en cuenta la naturaleza del tratamiento y la informaci贸n a disposici贸n del encargado;

(f)聽assists the controller in ensuring compliance with the obligations pursuant to Articles聽32 to 36 taking into account the nature of processing and the information available to the processor;

Textos enlazados

g) a elecci贸n del responsable, suprimir谩 o devolver谩 todos los datos personales una vez finalice la prestaci贸n de los servicios de tratamiento, y suprimir谩 las copias existentes a menos que se requiera la conservaci贸n de los datos personales en virtud del Derecho de la Uni贸n o de los Estados miembros;

(g)聽at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 28(3)(g) GDPR:

8.4.2 Return, transfer or disposal of PII

Control

The organization should provide the ability to return, transfer and/or disposal of PII in a secure manner. It should also make its policy available to the customer.

Implementation guidance

At some point in time, PII can need to be disposed of in some manner. This can involve returning the PII to the customer, transferring it to another organization or to a PII controller (e.g. as a result of a merger), deleting or otherwise destroying it, de-identifying it or archiving it.


para acceder al texto completo

h) pondr谩 a disposici贸n del responsable toda la informaci贸n necesaria para demostrar el cumplimiento de las obligaciones establecidas en el presente art铆culo, as铆 como para permitir y contribuir a la realizaci贸n de auditor铆as, incluidas inspecciones, por parte del responsable o de otro auditor autorizado por dicho responsable.

(h)聽makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

ISO 27701

En relaci贸n con lo dispuesto en la letra聽h) del p谩rrafo primero, el encargado informar谩 inmediatamente al responsable si, en su opini贸n, una instrucci贸n infringe el presente Reglamento u otras disposiciones en materia de protecci贸n de datos de la Uni贸n o de los Estados miembros.

With regard to point聽(h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member聽State data protection provisions.

4. Cuando un encargado del tratamiento recurra a otro encargado para llevar a cabo determinadas actividades de tratamiento por cuenta del responsable, se impondr谩n a este otro encargado, mediante contrato u otro acto jur铆dico establecido con arreglo al Derecho de la Uni贸n o de los Estados miembros, las mismas obligaciones de protecci贸n de datos que las estipuladas en el contrato u otro acto jur铆dico entre el responsable y el encargado a que se refiere el apartado聽3, en particular la prestaci贸n de garant铆as suficientes de aplicaci贸n de medidas t茅cnicas y organizativas apropiadas de manera que el tratamiento sea conforme con las disposiciones del presente Reglamento. Si ese otro encargado incumple sus obligaciones de protecci贸n de datos, el encargado inicial seguir谩 siendo plenamente responsable ante el responsable del tratamiento por lo que respecta al cumplimiento de las obligaciones del otro encargado.

4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 28(4) GDPR:

8.5.6 Disclosure of subcontractors used to process PII

Control

The organization should disclose any use of subcontractors to process PII to the customer before use.

Implementation guidance

Provisions for the use of subcontractors to process PII should be included in the customer contract.


para acceder al texto completo

5. La adhesi贸n del encargado del tratamiento a un c贸digo de conducta aprobado a tenor del art铆culo聽40 o a un mecanismo de certificaci贸n aprobado a tenor del art铆culo聽42 podr谩 utilizarse como elemento para demostrar la existencia de las garant铆as suficientes a que se refieren los apartados聽1 y聽4 del presente art铆culo.

5. Adherence of a processor to an approved code of conduct as referred to in Article聽40 or an approved certification mechanism as referred to in Article聽42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs聽1 and聽4 of this聽Article.

Textos enlazados

6. Sin perjuicio de que el responsable y el encargado del tratamiento celebren un contrato individual, el contrato u otro acto jur铆dico a que se refieren los apartados聽3 y聽4 del presente art铆culo podr谩 basarse, total o parcialmente, en las cl谩usulas contractuales tipo a que se refieren los apartados聽7 y聽8 del presente art铆culo, inclusive cuando formen parte de una certificaci贸n concedida al responsable o encargado de conformidad con los art铆culos聽42 y聽43.

6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs聽7 and聽8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

Textos enlazados

7. La Comisi贸n podr谩 fijar cl谩usulas contractuales tipo para los asuntos a que se refieren los apartados聽3 y聽4 del presente art铆culo, de acuerdo con el procedimiento de examen a que se refiere el art铆culo聽93, apartado聽2.

7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).

Textos enlazados

8. Una autoridad de control podr谩 adoptar cl谩usulas contractuales tipo para los asuntos a que se refieren los apartados聽3 y聽4 del presente art铆culo, de acuerdo con el mecanismo de coherencia a que se refiere el art铆culo聽63.

8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article聽63.

Textos enlazados

9. El contrato u otro acto jur铆dico a que se refieren los apartados聽3 y聽4 constar谩 por escrito, inclusive en formato electr贸nico.

9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Sin perjuicio de lo dispuesto en los art铆culos聽82, 83 y聽84, si un encargado del tratamiento infringe el presente Reglamento al determinar los fines y medios del tratamiento, ser谩 considerado responsable del tratamiento con respecto a dicho tratamiento.

10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Textos enlazados
Comentario de expertos ISO 27701 Considerandos Ley de Directrices y caso Deja un comentario
Comentario de expertos

(EN) A processor is a person or an organization that processes personal data on behalf and under the authority of a controller [Articles 4(8) and 28(1)]. The term used in the English text of the General Data Protection Regulation (GDPR) remains difficult to apprehend by a non-legal audience, so it is useful to turn to other linguistic versions for a better understanding.


para acceder al texto completo

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.

Here is the relevant paragraph to articles 28(5), 28(6), and 28(10) GDPR:

5.2.1 Understanding the organization and its context

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.


para acceder al texto completo

Considerandos

(81) Para garantizar el cumplimiento de las disposiciones del presente Reglamento respecto del tratamiento que lleve a cabo el encargado por cuenta del responsable, este, al encomendar actividades de tratamiento a un encargado, debe recurrir 煤nicamente a encargados que ofrezcan suficientes garant铆as, en particular en lo que respecta a conocimientos especializados, fiabilidad y recursos, de cara a la aplicaci贸n de medidas t茅cnicas y organizativas que cumplan los requisitos del presente Reglamento, incluida la seguridad del tratamiento. La adhesi贸n del encargado a un c贸digo de conducta aprobado o a un mecanismo de certificaci贸n aprobado puede servir de elemento para demostrar el cumplimiento de las obligaciones por parte del responsable. El tratamiento por un encargado debe regirse por un contrato u otro acto jur铆dico con arreglo al Derecho de la Uni贸n o de los Estados miembros que vincule al encargado con el responsable, que fije el objeto y la duraci贸n del tratamiento, la naturaleza y fines del tratamiento, el tipo de datos personales y las categor铆as de interesados, habida cuenta de las funciones y responsabilidades espec铆ficas del encargado en el contexto del tratamiento que ha de llevarse a cabo y del riesgo para los derechos y libertades del interesado. El responsable y el encargado pueden optar por basarse en un contrato individual o en cl谩usulas contractuales tipo que adopte directamente la Comisi贸n o que primero adopte una autoridad de control de conformidad con el mecanismo de coherencia y posteriormente la Comisi贸n. Una vez finalizado el tratamiento por cuenta del responsable, el encargado debe, a elecci贸n de aquel, devolver o suprimir los datos personales, salvo que el Derecho de la Uni贸n o de los Estados miembros aplicable al encargado del tratamiento obligue a conservar los datos.

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

Ley de Directrices y caso Deja un comentario
[js-disqus]