1. Fejn l-ipproċessar ikun ser isir f’isem kontrollur, il-kontrollur għandu juża biss proċessuri li jagħtu garanziji suffiċjenti biex jiġu implimentati miżuri tekniċi u organizzattivi xierqa b’tali mod li l-ipproċessar jissodisfa r-rekwiżiti ta’ dan ir-Regolament u jiżgura l-protezzjoni tad-drittijiet tas-suġġett tad-data.
2. Il-proċessur m’għandux jimpjega proċessur ieħor mingħajr l-awtorizzazzjoni bil-miktub, speċifika jew ġenerali, minn qabel tal-kontrollur. Fil-każ tal-awtorizzazzjoni ġenerali bil-miktub, il-proċessur għandu jgħarraf lill-kontrollur bi kwalunkwe intenzjoni ta’ tibdil rigward iż-żieda jew is-sostituzzjoni ta’ proċessuri oħrajn, biex b’hekk jagħti l-opportunità lill-kontrollur joġġezzjona għal tali bidliet.
3. L-ipproċessar minn proċessur għandu jkun regolat minn kuntratt jew att legali ieħor taħt il-liġi tal-Unjoni jew ta’ Stat Membru, li jorbot lill-proċessur fir-rigward tal-kontrollur, u li jistabbilixxi s-suġġett u t-tul tal-ipproċessar, in-natura u l-għan tal-ipproċessar, it-tip ta’ data personali u l-kategoriji tas-suġġetti tad-data u l-obbligi u d-drittijiet tal-kontrollur. Dak il-kuntratt jew att legali ieħor għandu jistipula, b’mod partikolari, li l-proċessur:
(a) jipproċessa d-data personali fil-każ biss ta’ istruzzjonijiet dokumentati mill-kontrollur, inkluż fir-rigward tat-trasferimenti tad-data personali lil pajjiż terz jew organizzazzjoni internazzjonali, ħlief jekk ikun obbligat jagħmel dan skont il-liġi tal-Unjoni jew ta’ Stat Membru li l-proċessur ikun soġġett għalih; f’dak il-każ, il-proċessur għandu jinforma lill-kontrollur b’dak ir-rekwiżit legali qabel l-ipproċessar, ħlief jekk dik il-liġi tipprojbixxi dik l-informazzjoni għal raġunijiet importanti ta’ interess pubbliku;
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(3)(a) GDPR:
8.2.2 Organization’s purposes
Control
The organization should ensure that PII processed on behalf of a customer are only processed for the purposes expressed in the documented instructions of the customer.
Implementation guidance
The contract between the organization and the customer should include, but not be limited to, the objective and time frame to be achieved by the service.
[…]
Sign in
to read the full text
(b) jiżgura li l-persuni awtorizzati biex jipproċessaw id-data personali jkunu impenjaw ruħhom li jżommu l-kunfidenzjalità jew li jkunu taħt obbligu statutorju xieraq ta’ kunfidenzjalità;
ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 13.2.4.
Here is the relevant paragraph to article 28(3)(b) GDPR:
6.10.2.4 Confidentiality or non-disclosure agreements
Implementation guidance
The organization should ensure that individuals operating under its control with access to PII are subject to a confidentiality obligation. The confidentiality agreement, whether part of a contract or separate, should specify the length of time the obligations should be adhered to.
[…]
Sign in
to read the full text
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(3)(d) GDPR:
8.5.7 Engagement of a subcontractor to process PII
Control
The organization should only engage a subcontractor to process PII according to the customer contract.
Implementation guidance
Where the organization subcontracts some or all of the processing of that PII to another organization, a written authorization from the customer is required prior to the PII processed by the subcontractor. This can be in the form of appropriate clauses in the customer contract, or can be a specific “one-off” agreement.
[…]
Sign in
to read the full text
(e) jieħu kont tan-natura tal-ipproċessar, jassisti lill-kontrollur permezz ta’ miżuri tekniċi u organizzattivi xierqa, sa fejn dan ikun possibbli, għat-twettiq tal-obbligu tal-kontrollur li jwieġeb għat-talbiet tal-eżerċitar tad-drittijiet tas-suġġett tad-data mniżżla fil-Kapitolu III;
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(3)(e) GDPR:
8.3.1 Obligations to PII principals
Control
The organization should provide the customer with the means to comply with its obligations related to PII principals.
Implementation guidance
A PII controller’s obligations can be defined by legislation, by regulation and/or by contract. These obligations can include matters where the customer uses the services of the organization for implementation of these obligations.
[…]
Sign in
to read the full text
(g) fuq l-għażla tal-kontrollur, iħassar jew jirritorna d-data personali kollha lill-kontrollur wara li jintemm il-forniment ta’ servizzi relatati mal-ipproċessar ta’ data, u jħassar il-kopji eżistenti sakemm il-liġi tal-Unjoni jew ta’ Stat Membru ma tirrikjedix li d-data personali tinħażen;
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(3)(g) GDPR:
8.4.2 Return, transfer or disposal of PII
Control
The organization should provide the ability to return, transfer and/or disposal of PII in a secure manner. It should also make its policy available to the customer.
Implementation guidance
At some point in time, PII can need to be disposed of in some manner. This can involve returning the PII to the customer, transferring it to another organization or to a PII controller (e.g. as a result of a merger), deleting or otherwise destroying it, de-identifying it or archiving it.
[…]
Sign in
to read the full text
(h) jagħmel disponibbli għall-kontrollur kull informazzjoni meħtieġa biex tintwera l-konformità mal-obbligi stabbiliti f’dan l-Artikolu u jippermetti u jikkontribwixxi għal verifiki, inklużi ispezzjonijiet imwettqa mill-kontrollur jew minn awditur ieħor li jkun ingħata l-mandat mill-kontrollur.
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraphs to article 28(3)(h) GDPR:
8.2.4 Infringing instruction
Control
The organization should inform the customer if, in its opinion, a processing instruction infringes applicable legislation and/or regulation.
Implementation guidance
The organization’s ability to verify if the instruction infringes legislation and/or regulation can depend on the technological context, on the instruction itself, and on the contract between the organization and the customer.
8.2.5 Customer obligations
Control
The organization should provide the customer with the appropriate information such that the customer can demonstrate compliance with their obligations.
Implementation guidance
The information needed by the customer can include whether the organization allows for and contributes to audits conducted by the customer or another auditor mandated or otherwise agreed by the customer.
Fir-rigward tal-punt (h) tal-ewwel subparagrafu, il-proċessur għandu minnufih jgħarraf lill-kontrollur jekk, fl-opinjoni tiegħu, istruzzjoni tikser dan ir-Regolament jew dispożizzjonijiet oħrajn tal-Unjoni jew ta’ Stat Membru dwar il-protezzjoni tad-data.
4. Fejn proċessur jimpjega proċessur ieħor biex iwettaq attivitajiet speċifiċi ta’ pproċessar f’isem il-kontrollur, l-istess obbligi ta’ protezzjoni tad-data kif jinsabu fil-kuntratt jew att legali ieħor bejn il-kontrollur u l-proċessur kif imsemmijin fil-paragrafu 3 għandhom jiġu imposti fuq dak il-proċessur l-ieħor permezz ta’ kuntratt jew att legali ieħor skont il-liġi tal-Unjoni jew ta’ Stat Membru, li b’mod partikolari jagħtu garanziji suffiċjenti biex jiġu implimentati miżuri tekniċi u organizzattivi xierqa b’tali mod li l-ipproċessar jissodisfa r-rekwiżiti ta’ dan ir-Regolament. Fejn dak il-proċessur l-ieħor jonqos milli jħares l-obbligi tiegħu għall-protezzjoni tad-data, il-proċessur inizjali għandu jibqa’ kompletament responsabbli quddiem il-kontrollur għat-twettiq tal-obbligi ta’ dak il-proċessur l-ieħor.
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(4) GDPR:
8.5.6 Disclosure of subcontractors used to process PII
Control
The organization should disclose any use of subcontractors to process PII to the customer before use.
Implementation guidance
Provisions for the use of subcontractors to process PII should be included in the customer contract.
[…]
Sign in
to read the full text
6. Mingħajr preġudizzju għal kuntratt individwali bejn il-kontrollur u l-proċessur, il-kuntratt jew l-att legali l-ieħor imsemmi fil-paragrafu 3 u 4 ta’dan l-Artikolu jistgħu jkunu bbażati, b’mod sħiħ jew parzjalment, fuq klawżoli kuntrattwali standard imsemmija fil-paragrafi 7 u 8 ta’dan l-Artikolu inkluż meta jagħmlu parti minn ċertifikazzjoni mogħtija lill-kontrollur jew lill-proċessur skont l-Artikoli 42 u 43.
A processor is a person or an organization that processes personal data on behalf and under the authority of a controller [Articles 4(8) and 28(1)]. The term used in the English text of the General Data Protection Regulation (GDPR) remains difficult to apprehend by a non-legal audience, so it is useful to turn to other linguistic versions for a better understanding.
[…]
Sign in
to read the full text
ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.
Here is the relevant paragraph to articles 28(5), 28(6), and 28(10) GDPR:
5.2.1 Understanding the organization and its context
The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.
[…]
Sign in
to read the full text
(81) Sabiex tiġi żgurata l-konformità mar-rekwiżiti ta' dan ir-Regolament fir-rigward tal-ipproċessar li għandu jitwettaq mill-proċessur f'isem il-kontrollur, meta jafda proċessur bl-attivitajiet tal-ipproċessar, il-kontrollur għandu juża biss proċessuri li jipprovdu garanziji suffiċjenti, b'mod partikolari f'termini ta' għarfien espert, affidabbiltà u riżorsi, għall-implimentazzjoni ta' miżuri tekniċi u ta' organizzazzjoni li jissodisfaw ir-rekwiżiti ta' dan ir-Regolament, inkluż għas-sigurtà tal-ipproċessar. Il-konformità tal-proċessur ma' kodiċi ta' kondotta approvat jew mekkaniżmu ta' ċertifikazzjoni approvat tista' tintuża bħala element li bih tintwera l-konformità mal-obbligi tal-kontrollur. It-twettiq tal-ipproċessar minn proċessur għandu jkun regolat minn kuntratt jew att legali ieħor taħt il-liġi tal-Unjoni jew ta' Stat Membru, li jorbot lill-proċessur mal-kontrollur, li jistabbilixxi s-suġġett u t-tul tal-ipproċessar, in-natura u l-finijiet tal-ipproċessar, it-tip ta' data personali u l-kategoriji tas-suġġetti tad-data, filwaqt li jitqiesu l-kompiti u r-responsabbiltajiet speċifiċi tal-proċessur fil-kuntest tal-ipproċessar li għandu jitwettaq u r-riskju għad-drittijiet u l-libertajiet tas-suġġett tad-data. Il-kontrollur u l-proċessur jistgħu jagħżlu li jużaw kuntratt individwali jew klawżoli kuntrattwali standard li jiġu adottati jew b'mod dirett mill-Kummissjoni jew minn awtorità superviżorja f'konformità mal-mekkaniżmu ta' konsistenza u wara adottati mill-Kummissjoni. Wara t-tlestija tal-ipproċessar f'isem il-kontrollur, il-proċessur għandu, fuq għażla tal-kontrollur, jirritorna jew iħassar id-data personali, sakemm ma jkunx hemm rekwiżit li tinħażen id-data personali taħt il-liġi tal-Unjoni jew ta' Stat Membru li għaliha jkun soġġett il-proċessur.
CJEU, Tietosuojavaltuutettu/Jehovan todistajat – uskonnollinen yhdyskunta (Jehovah’s Witnesses case), Opinion of Advocate General, C‑25/17 (2018).
CJEU, Tietosuojavaltuutettu/Jehovan todistajat – uskonnollinen yhdyskunta (Jehovah’s Witnesses case), C‑25/17 (2018).
Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (2010).
EDPB, Guidelines on the Concepts of Controller, Processor and Joint Controllership Under Regulation (EU) 2018/1725 (2019).
EDPB, Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) (2019).
EDPB, Guidelines 7/2020 on the Concepts of Controller and Processor in the GDPR (2021).
CNIL, Guide for processors (2017) – Guidelines from the French Supervisory Authority that includes the template of Data Processing Agreement between controllers and processors.
Denmark Supervisory Authority, DK SA Standard Contractual Clauses for the purposes of compliance with art. 28 GDPR (2020).
DPC (Ireland), Guidance for Individuals who Accidentally Receive Personal data (2020).
ICO, Right of Access (2020).
ICO, Data sharing: a code of practice (2020).
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraphs to article 28(2) GDPR:
8.5.6 Disclosure of subcontractors used to process PII
Control
The organization should disclose any use of subcontractors to process PII to the customer before use.
Implementation guidance
Provisions for the use of subcontractors to process PII should be included in the customer contract.
[…]
Sign in
to read the full text