GRCWatch
Sign inStart free trial

GDPR A28-02: Processor Obligations and Instructions

As a data processor, you're legally bound to process personal data only on documented instructions from controllers. This control establishes your core compliance obligations including confidentiality requirements, assistance with data subject rights, and security responsibilities. Failing to meet these obligations exposes your organization to regulatory fines and reputational damage.

What this means

GDPR Article 28(2) requires processors to act only on written instructions from data controllers. Your organization must ensure that anyone with access to personal data is bound by confidentiality agreements. You're also responsible for assisting controllers with their compliance obligations—including responding to data subject access requests, implementing security measures, notifying controllers of breaches, conducting Data Protection Impact Assessments (DPIAs) when required, and consulting with controllers before engaging sub-processors. This is a foundational control that shapes your entire data handling framework.

How to comply

  1. 1.Establish and maintain written Data Processing Agreements (DPAs) with every controller that document the purpose, duration, nature, and scope of processing
  2. 2.Create confidentiality policies and ensure all employees, contractors, and authorized personnel sign confidentiality agreements before accessing personal data
  3. 3.Implement procedures to respond to controller requests for assistance with data subject rights (access, rectification, erasure, portability)
  4. 4.Document your security measures and make them available to controllers for audit and verification
  5. 5.Establish breach notification procedures to alert controllers without undue delay when a breach occurs
  6. 6.Create a process for controllers to request Data Protection Impact Assessments before processing begins
  7. 7.Maintain a sub-processor register and obtain controller approval before engaging any sub-processors
  8. 8.Conduct regular training for all staff on processor obligations and confidentiality requirements

Evidence auditors look for

  • Signed Data Processing Agreements with all data controllers
  • Confidentiality agreements signed by all employees with data access
  • Written policies on data subject rights procedures and response timelines
  • Security documentation provided to controllers (encryption, access controls, audit logs)
  • Breach notification log showing controller alerts and timelines
  • Sub-processor authorization records and contracts
  • DPIA request and completion records
  • Staff training records on processor obligations and confidentiality

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates Data Processing Agreement templates, tracks sub-processor approvals, and logs all controller instructions in one audit-ready dashboard—eliminating manual tracking and reducing processor obligation compliance failures.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A28-01 - Processor Role and AccountabilityGDPR A28-03 - Processing on Controller InstructionsGDPR A28-04 - Sub-processor RequirementsGDPR A32 - Security of ProcessingGDPR A33-34 - Breach Notification