Регламент (ЄС) 2016/679 (GDPR), стаття 28 — Процесор — це ключова норма, що регулює відносини між Контролером і Процесором у обробці персональних даних. Для українського ТОВ/ФОП ст. 28 GDPR застосовується при роботі з EU-суб'єктами або EU-Процесорами і встановлює 8 mandatory elements DPA. Без compliance ст. 28 — штраф до €20 млн або 4% річного обороту (ст. 83(4) GDPR). Compatible з ст. 24 Закону України «Про захист персональних даних» від 01.06.2010 № 2297-VI як «розпорядник» термінологія.
Повний текст ст. 28 GDPR — переклад
ст. 28(1)
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
ст. 28(2)
The processor shall not engage another processor (sub-processor) without prior specific or general written authorization of the controller. In the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
ст. 28(3) — 8 mandatory elements
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law that is binding on the processor with regard to the controller and that:
- (a) sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
- (b) processor processes the personal data only on documented instructions from the controller, including with regard to transfers to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing.
- (c) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- (d) takes all measures required pursuant to Article 32 (security).
- (e) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor (sub-processors).
- (f) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III (Articles 12-22).
- (g) assists the controller in ensuring compliance with the obligations pursuant to Articles 32-36 (security, breach notification to authority, communication to subject, data protection impact assessment, prior consultation) taking into account the nature of processing and the information available to the processor.
- (h) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data; makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
ст. 28(4)
Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller.
ст. 28(5)
Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
ст. 28(6)
Standard contractual clauses referred to in paragraphs 7 and 8 may be used to govern the relationship between controller and processor.
ст. 28(7)
The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 (e.g., 2021/914).
ст. 28(8)
Supervisory authorities may adopt standard contractual clauses for the matters referred to in paragraph 3.
ст. 28(9)
The contract or other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
ст. 28(10)
Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.
8 елементів — мнемоніка SISCASA-A
| Літера | Елемент |
|---|---|
| S — Subject | Subject/duration/nature/purpose |
| I — Information | Type of data + categories of subjects |
| S — Strict instructions | Process тільки за documented instructions |
| C — Confidentiality | Confidentiality of personnel |
| A — Article 32 | Security measures |
| S — Sub-processors | Sub-processors rules |
| A — Assistance | Assistance with DSAR + Article 32-36 |
| A — Audit + termination | Audit + return/erasure |
Зв'язок з іншими статтями GDPR
- ст. 4(7-8) — definitions of Controller and Processor.
- ст. 5 — principles of processing.
- ст. 6 — lawfulness of processing.
- ст. 24 — responsibility of controller.
- ст. 26 — joint controllers.
- ст. 30 — records of processing activities.
- ст. 32 — security of processing.
- ст. 33 — breach notification to supervisory authority.
- ст. 35 — DPIA.
- ст. 44-49 — international transfers.
- ст. 82 — right to compensation.
- ст. 83 — administrative fines.
Зв'язок з SCC 2021 (Implementing Decision 2021/914)
- ст. 28(7) — Commission може видавати SCC.
- 2021/914 — adopted under ст. 28(7).
- 4 модулі (C2C, C2P, P2P, P2C) для разних scenarios.
- Module 2 (C2P) — implements ст. 28(3) для cross-border контракту.
Enforcement приклади 2024-2025
Belgium DPA 2023
Case: Controller used identical DPA template для 12 different processors без adapting Annex 1. Violation: ст. 28(3) — generic without specificity. Fine: €50K + corrective order to retake adapt all 12.
Spain AEPD 2024
Pattern: 40+ sanctions з missing or insufficient DPA. Common deficiencies:
- DPA missing entirely.
- DPA exists але без 8 mandatory elements.
- Sub-процесорі not listed.
- Audit rights waived. Fines: €100K-€500K range.
EDPB Coordinated Enforcement Action 2024
Scope: ст. 28 compliance across EU. Result: 156 corrective actions across member states. Top deficiencies:
- Documented instructions vague.
- Sub-процесорі control gaps.
- Audit rights too restrictive.
- Breach SLA "without undue delay" (ambiguous).
- Termination data handling unclear.
Practice для українських ТОВ — DPA pattern 2024-2026
Якщо ТОВ — Контролер (типово SaaS subscriber)
- Sign DPA від кожного SaaS (AWS, Mailchimp, HubSpot).
- Adapt Annex 1 для своєї business specific.
- Review Annex 2 sub-процесорі список.
- Negotiate breach SLA 24-48h.
- Annual review + audit.
Якщо ТОВ — Процесор (SaaS / agency / outsource)
- Готовий DPA template — sign-ready.
- ISO 27001 / SOC 2 certifications.
- Public sub-процесорі list з RSS notifications.
- Breach SLA 24h як competitive advantage.
- Audit-ready — annual SOC 2 Type II report.
Якщо ТОВ — Joint Controller
- Joint Controller Agreement — окремий документ.
- Public arrangement essence (ст. 26(2)).
- Allocation of responsibilities (notification, DSAR).
- DPA з усіма Процесорами.
ст. 28 vs ст. 24 ЗУ № 2297-VI — порівняльна таблиця
| Параметр | ст. 28 GDPR | ст. 24 ЗУ № 2297-VI |
|---|---|---|
| Письмова форма | mandatory | mandatory |
| 8 mandatory elements | YES (specified) | basic obligations (less detailed) |
| Sub-процесорі rules | strict (ст. 28(2), (4)) | через "розпорядника" |
| Breach notification | ст. 33 (72h) | ст. 24 ч. 8 |
| Audit rights | mandatory | through Уповноваженого |
| Cross-border | ст. 44-49 | ст. 24-1 |
| Standard clauses | SCC 2021 | посилання на SCC EU |
| Independent Controller penalty | ст. 28(10) | nеявно |
FAQ
Чи можу я ігнорувати ст. 28 GDPR якщо мій ТОВ обробляє тільки українських суб'єктів? Ні, якщо: 1) суб'єкти знаходяться у EU; 2) ТОВ targets EU markets (offering goods/services); 3) ТОВ monitors EU subjects' behavior. Practice: для безпечності — comply з GDPR + ЗУ № 2297-VI.
Що таке "documented instructions"? DPA itself + Annex 1 + operational documents + email exchanges + tickets. Maintainable audit trail. Без instruction Процесор не може процесити.
Чи "code of conduct" замінює DPA? НІ. Code of conduct (ст. 40) demonstrates sufficient guarantees (ст. 28(5)), але DPA все одно потрібен.
Чи Процесор може decline to follow instruction? Так, якщо instruction violates GDPR (ст. 28(3)(h) останнє речення). Процесор informs Контролер про non-compliance; Контролер має modify instruction або hire other processor.
AGENTIS — інформаційний інструмент. Не замінює адвоката і не є юридичною консультацією.
Готовий DPA з усіма 8 елементами ст. 28(3) — згенеруйте чернетку DPA через AGENTIS.
Пов'язані матеріали:
- Pillar: Договір про обробку персональних даних
- QA: GDPR ст. 28 обов'язки процесора
- QA: Контролер vs Процесор у DPA
- Закон № 2297-VI — повний огляд
Зовнішні джерела: GDPR Art. 28 повний текст на gdpr-info.eu · SCC 2021 на commission.europa.eu · EDPB Guidelines