GDPR Article 28 Compliance with Didit's APIs

Understanding Article 28GDPR Article 28 mandates strict conditions for data processors, requiring them to act only on the controller's documented instructions and implement adequate security measures to protect personal data.

Controller-Processor RelationshipA clear, legally binding contract (Data Processing Agreement) is essential, defining roles, responsibilities, and data protection clauses between the data controller and processor.

Technical & Organizational MeasuresProcessors must employ state-of-the-art security, including encryption, pseudonymization, regular testing, and robust access controls, ensuring data integrity and confidentiality.

Didit's Compliance AdvantageDidit's AI-native, modular identity platform provides built-in security, audit trails, and configurable workflows, enabling businesses to meet Article 28 requirements efficiently and effectively.

In today's data-driven world, compliance with regulations like the General Data Protection Regulation (GDPR) is not merely a legal obligation but a cornerstone of trust for any business handling personal data. For companies that act as data processors, especially in the identity verification space, understanding and implementing GDPR Article 28 is paramount. This article delves into the intricacies of Article 28 and demonstrates how Didit's advanced API-driven identity platform can be your most effective tool for achieving and maintaining compliance.

What is GDPR Article 28 and Why Does it Matter?

GDPR Article 28 sets out the conditions governing a data processor's role. It clarifies that a data controller (the entity determining the 'why' and 'how' of data processing) must only engage processors who provide sufficient guarantees to implement appropriate technical and organizational measures to meet GDPR requirements and protect data subjects' rights. Essentially, it ensures that when a company (controller) outsources data processing, that outsourced entity (processor) upholds the same high standards of data protection.

For identity processors, this means ensuring that every step of the verification process—from data collection via ID Verification (OCR, MRZ, barcodes) to biometric checks like Passive & Active Liveness and 1:1 Face Match—is handled with the utmost care, security, and transparency. Non-compliance can lead to severe penalties, reputational damage, and a significant loss of customer trust.

Key Requirements for Data Processors Under Article 28

Article 28 outlines several critical mandates for data processors:

1. Documented Instructions: Processors must only process personal data on documented instructions from the controller. This means no independent processing decisions.
2. Confidentiality: Processors must ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Security of Processing: Processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This often involves measures like pseudonymization and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, and the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
4. Sub-processors: Processors cannot engage another processor (sub-processor) without the controller's prior specific or general written authorization. When authorized, the processor must impose the same data protection obligations on the sub-processor as those in the contract between the controller and the processor.
5. Assistance to Controller: Processors must assist the controller in ensuring compliance with the controller's obligations, particularly regarding data subject rights requests, data protection impact assessments, and security breach notifications.
6. Deletion or Return of Data: Upon completion of services, processors must, at the choice of the controller, delete or return all personal data to the controller and delete existing copies, unless required by law to store the personal data.
7. Audit Rights: Processors must make available to the controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Didit's platform is designed with these principles in mind, offering features that directly support compliance with each of these requirements. For instance, our robust audit trails and the ability to generate compliance-ready PDF reports for any verification session (via the Generate PDF API) directly address the need for transparency and auditability.

The Importance of Technical and Organizational Measures (TOMs)

The "appropriate technical and organizational measures" clause is where the rubber meets the road for data processors. This isn't just about having a privacy policy; it's about embedding data protection into the very architecture of your systems. For identity verification, this includes:

• Data Minimization: Collecting only the data absolutely necessary for the verification purpose.
• Encryption: Protecting data both in transit and at rest.
• Access Controls: Limiting who can access sensitive identity data.
• Regular Security Audits: Proactively identifying and mitigating vulnerabilities. Didit is ISO 27001 certified, GDPR compliant, and iBeta Level 1 certified, demonstrating our commitment to enterprise-grade security.
• Incident Response: Having clear procedures for handling data breaches.
• Data Retention Policies: Adhering to defined periods for storing data, aligned with controller instructions.

Didit's AI-native architecture ensures these TOMs are built-in from the ground up. Our platform's modular design allows controllers to configure workflows precisely, ensuring only necessary data is processed. For example, Age Estimation can be used for age-restricted services without collecting full identity details, adhering to data minimization principles.

How Didit Helps Achieve GDPR Article 28 Compliance

Didit is engineered to be the ideal partner for data controllers seeking GDPR Article 28 compliant identity verification. Our platform provides the necessary tools and assurances:

• Configurable Workflows: Didit's Orchestrated Workflows, accessible via our Business Console, allow controllers to design multi-step identity verification journeys, including KYC, age checks, and AML Screening & Monitoring. This ensures processing aligns precisely with documented instructions and specific compliance needs.
• Robust Security & Certifications: Built with enterprise-grade security, Didit is ISO 27001, ISO 27017, and ISO 27018 certified, and iBeta Level 1 certified for liveness detection. We are also EU AI Act ready, providing a foundation of trust and compliance.
• Comprehensive Audit Trails: Every verification session generates detailed records, and our Generate PDF API allows for the creation of compliance-ready reports, crucial for demonstrating accountability and assisting with controller audits.
• Data Minimization by Design: Features like privacy-preserving Age Estimation enable businesses to meet compliance requirements without over-collecting personal data.
• Global Coverage: With ID Verification supporting documents from 220+ countries, Didit ensures consistent and compliant processing regardless of geographic location.
• Developer-First Approach: Clean APIs and an instant sandbox empower controllers to integrate and manage their identity processes with full control and transparency, meeting the documented instruction requirement.

Didit's commitment to security, modularity, and AI-native design means that as a data processor, we provide the highest guarantees for protecting personal data, making compliance with Article 28 a streamlined and reliable process for our clients. Our Free Core KYC offering allows businesses to start building these compliant workflows without upfront investment, highlighting our commitment to accessible, secure identity solutions.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.