GDPR-28-14
Requirement
28 — Processor
Remain liable for sub-processor obligations
Description
Where another processor fails to fulfil its data protection obligations, the initial processor remains fully liable to the controller for the performance of that other processor's obligations.
Full Analysis & Evidence Requirements
Sign in to view the full obligation text, AI-generated applicability analysis, evidence checklists, and compliance mapping.
Sign In to ViewRelated Obligations
GDPR-28-01
Data Governance
Use only processors with sufficient guarantees
GDPR-28-02
Requirement
Obtain authorization before engaging sub-processors
GDPR-28-03
Transparency
Inform controller of intended sub-processor changes
GDPR-28-04
Documentation
Establish binding contract with processor
GDPR-28-05
Requirement
Process only on documented controller instructions
GDPR-28-06
Transparency
Inform controller of legal processing requirements
GDPR-28-07
Requirement
Ensure personnel confidentiality commitments
GDPR-28-08
Requirement
Assist controller with data subject rights requests
GDPR-28-09
Requirement
Assist controller with compliance obligations
GDPR-28-10
Requirement
Delete or return data after service end
Map this obligation to your AI systems
ReguLume automatically maps regulatory obligations to your system inventory, identifies compliance gaps, and generates remediation plans.
Get Started