Ti	=	Article 28 - {_Processor}
1.sec	=	Where {_processing} is to be carried out on behalf of a {_controller}, the {_controller} shall use only {_processors} providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that {_processing} will meet the requirements of this Regulation and ensure the protection of the rights of the {_data_subject}.
2.sec	=	The {_processor} shall not engage another {_processor} without prior specific or general written authorisation of the {_controller}. In the case of general written authorisation, the {_processor} shall inform the {_controller} of any intended changes concerning the addition or replacement of other {_processors}, thereby giving the {_controller} the opportunity to object to such changes.
3.0.sec	=	{_Processing} by a {_processor} shall be governed by a contract or other legal act under Union or Member State law, that is binding on the {_processor} with regard to the {_controller} and that sets out the subject-matter and duration of the {_processing}, the nature and purpose of the {_processing}, the type of {_personal_data} and categories of {_data_subjects} and the obligations and rights of the {_controller}. That contract or other legal act shall stipulate, in particular, that the {_processor}:
3.1.sec	=	processes the {_personal_data} only on documented instructions from the {_controller}, including with regard to transfers of {_personal_data} to a third country or an {_international_organisation}, unless required to do so by Union or Member State law to which the {_processor} is subject; in such a case, the {_processor} shall inform the {_controller} of that legal requirement before {_processing}, unless that law prohibits such information on important grounds of public interest;
3.2.sec	=	ensures that persons authorised to process the {_personal_data} have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.3.sec	=	takes all measures required pursuant to Article 32;
3.4.sec	=	respects the conditions referred to in paragraphs 2 and 4 for engaging another {_processor};
3.5.sec	=	taking into account the nature of the {_processing}, assists the {_controller} by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the {_controller}'s obligation to respond to requests for exercising the {_data_subject}'s rights laid down in Chapter III;
3.6.sec	=	assists the {_controller} in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of {_processing} and the information available to the {_processor};
3.7.sec	=	at the choice of the {_controller}, deletes or returns all the {_personal_data} to the {_controller} after the end of the provision of services relating to {_processing}, and deletes existing copies unless Union or Member State law requires storage of the {_personal_data};
3.8.sec	=	makes available to the {_controller} all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the {_controller} or another auditor mandated by the {_controller}.
3.00.sec	=	With regard to point (h) of the first subparagraph, the {_processor} shall immediately inform the {_controller} if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
3.	=	[G/Z/ol-a/s8]
4.sec	=	Where a {_processor} engages another {_processor} for carrying out specific {_processing} activities on behalf of the {_controller}, the same data protection obligations as set out in the contract or other legal act between the {_controller} and the {_processor} as referred to in paragraph 3 shall be imposed on that other {_processor} by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the {_processing} will meet the requirements of this Regulation. Where that other {_processor} fails to fulfil its data protection obligations, the initial {_processor} shall remain fully liable to the {_controller} for the performance of that other {_processor}'s obligations.
5.sec	=	Adherence of a {_processor} to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
6.sec	=	Without prejudice to an individual contract between the {_controller} and the {_processor}, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the {_controller} or {_processor} pursuant to Articles 42 and 43.
7.sec	=	The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
8.sec	=	A {_supervisory_authority} may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
9.sec	=	The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
10.sec	=	Without prejudice to Articles 82, 83 and 84, if a {_processor} infringes this Regulation by determining the purposes and means of {_processing}, the {_processor} shall be considered to be a {_controller} in respect of that {_processing}.
	=	[G/Z/ol/s10]