Article 28 - Processor

Article 28 sets out the duties of data processors under the GDPR, requiring them to process personal data only on the controller's instructions, adopt appropriate technical and organisational safeguards, and keep records of processing activities. It also obliges controllers and processors to conclude a written contract that details the processor's responsibilities, sub-processor terms and audit rights.