GDPR Articles 28, 32, 33, and 34: Why an ISMS Is Not Enough
GDPR Articles 28, 32, 33, 34 require data processing agreements, security measures, and breach notification within 72 hours. An ISMS supports governance, but not operational execution.
GDPR Articles 28, 32, 33, and 34: Why an ISMS Is Not Enough for Data Processing and Breach Notification
The GDPR requires data controllers to exercise due diligence in selecting and monitoring their processors — and mandates rapid notification to supervisory authorities and data subjects in case of personal data breaches. What many organizations underestimate: These obligations require operational capabilities that an ISMS alone cannot deliver.
An ISMS structures internal governance. The GDPR additionally requires breach notification within 72 hours (Article 33), communication to affected individuals in high-risk cases (Article 34), contractual safeguards for data processing (Article 28), and technical and organizational measures for data security (Article 32).
Jump to:
- Articles 33 and 34: Personal Data Breach Notification
- Articles 28 and 32: Data Processing and Security
Why an ISMS Is No Longer Sufficient Under the GDPR
The General Data Protection Regulation (EU) 2016/679 has been in force since May 25, 2018, fundamentally changing requirements for handling personal data. For many organizations, the question arises: Is the existing Information Security Management System still sufficient — or is more needed?
The answer lies in the regulation's wording: Article 32 requires "appropriate technical and organizational measures" that ensure "a level of security appropriate to the risk." This sounds like ISMS territory — and an ISMS can indeed serve as a foundation here.
However, the GDPR goes further in two critical areas: It mandates operational breach notification obligations within tight deadlines and establishes binding requirements for collaboration with processors throughout the entire value chain.
Where an ISMS Contributes to GDPR Compliance — Data Security (Article 32)
A good ISMS provides the structure for technical and organizational measures required by the GDPR:
- Pseudonymization and encryption of personal data
- Ability to ensure confidentiality, integrity, availability, and resilience of systems
- Ability to restore availability and access to personal data promptly following a physical or technical incident
- Process for regularly testing, assessing, and evaluating the effectiveness of measures
Article 32 requires that when assessing the appropriate level of security, particular account must be taken of risks "presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data."
An ISMS supports this. However, Articles 28, 33, and 34 impose requirements with an interface character that an ISMS as an internal solution cannot address.
Where the GDPR Goes Beyond an ISMS
Articles 33 and 34: Personal Data Breach Notification
The GDPR introduces a two-tier notification regime for personal data breaches.
Notification to the Supervisory Authority (Article 33)
In case of a personal data breach, the controller must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it — unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where notification is not made within 72 hours, reasons for the delay must be provided.
Content of the notification under Article 33(3):
| Element | Description |
|---|---|
| Nature of the breach | Description of the nature of the breach, where possible including categories and approximate number of data subjects and records concerned |
| Contact details | Name and contact details of the data protection officer or other contact point |
| Likely consequences | Description of the likely consequences of the breach |
| Measures taken | Description of measures taken or proposed by the controller to address the breach and mitigate effects |
Article 33(4) explicitly allows for phased notification: Where information cannot be provided at the same time, it may be provided in phases without undue further delay.
Processor obligation: Under Article 33(2), the processor must notify the controller without undue delay after becoming aware of a breach. The GDPR does not specify a concrete deadline — however, EDPB guidelines recommend notification as quickly as possible to enable the controller to meet the 72-hour deadline.
Documentation obligation: Under Article 33(5), the controller must document all breaches — including the facts, effects, and remedial actions taken. This documentation must enable the supervisory authority to verify compliance.
Communication to Data Subjects (Article 34)
When the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the affected data subjects without undue delay.
The communication must describe in clear and plain language the nature of the breach and at least include:
- Name and contact details of the data protection officer
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate effects
Exceptions to the communication obligation (Article 34(3)):
| Exception | Explanation |
|---|---|
| Technical protection measures | The controller has implemented appropriate measures (e.g., encryption) that render data unintelligible to unauthorized persons |
| Subsequent measures | Subsequent measures ensure that the high risk is no longer likely to materialize |
| Disproportionate effort | In this case, a public communication or similar measure is made instead |
The supervisory authority may, under Article 34(4), require the controller to communicate to data subjects if it considers that a high risk exists.
Articles 28 and 32: Data Processing and Security
The GDPR establishes binding requirements for working with processors.
Selection of Processors (Article 28(1))
The controller may only use processors that "provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject."
This wording establishes a due diligence obligation in selection — not only at contract signing but on an ongoing basis.
Contractual Requirements (Article 28(3))
Processing by a processor must be governed by a contract or other legal act that binds the processor to the controller.
Minimum contents of the data processing agreement:
| Requirement | Legal basis |
|---|---|
| Processing only on documented instructions from the controller | Art. 28(3)(a) |
| Confidentiality commitment by authorized personnel | Art. 28(3)(b) |
| Implementation of all measures required under Article 32 | Art. 28(3)(c) |
| Compliance with conditions for sub-processors | Art. 28(3)(d) |
| Assistance with data subject rights | Art. 28(3)(e) |
| Assistance with obligations under Articles 32–36 (security, notifications, impact assessments) | Art. 28(3)(f) |
| Deletion or return of data after contract termination | Art. 28(3)(g) |
| Making available all information to demonstrate compliance, enabling audits and inspections | Art. 28(3)(h) |
Sub-processing (Article 28(2) and (4))
The processor may not engage another processor without prior specific or general written authorization from the controller.
In case of general written authorization, the processor must inform the controller of any intended changes and give them the opportunity to object.
When another processor is engaged, the same data protection obligations must be imposed. The original processor remains liable to the controller for the sub-processor's compliance.
Demonstrating Compliance (Article 28(5))
Adherence to approved codes of conduct (Article 40) or an approved certification mechanism (Article 42) may be used as an element to demonstrate sufficient guarantees.
Why Due Diligence Is Not a One-Off Exercise
The GDPR speaks of selecting a suitable processor — but the controller's obligations do not end at contract signing:
- Article 28(3)(h) obligates the processor to make available all information necessary to demonstrate compliance and allow for audits and inspections
- Article 32(1)(d) requires a process for "regularly testing, assessing and evaluating" the effectiveness of measures
- Accountability under Article 5(2) requires the controller to be able to demonstrate compliance with data protection principles at any time
In practice, this means: An organization that engages a processor once and never checks again will struggle to demonstrate due diligence in case of damage. Initial due diligence becomes a recurring necessity.
Penalties (Article 83)
The GDPR provides for a two-tier penalty system:
| Violation | Fine | Legal basis |
|---|---|---|
| Obligations of controllers and processors (Art. 8, 11, 25–39, 42, 43) | Up to EUR 10 million or 2% annual turnover | Art. 83(4) |
| Processing principles, data subject rights, transfers to third countries (Art. 5–7, 9, 12–22, 44–49) | Up to EUR 20 million or 4% annual turnover | Art. 83(5) |
| Non-compliance with an order by the supervisory authority | Up to EUR 20 million or 4% annual turnover | Art. 83(6) |
The higher amount applies in each case.
Relevance for data processing and breach notification:
- Violations of Article 28 (processing) and Article 32 (security) fall under the lower tier (up to EUR 10 million / 2%)
- Violations of Article 33 (notification to authority) and Article 34 (communication to data subjects) also fall under the lower tier
- However, failure to notify may additionally be considered a violation of Article 5 (accountability) — which can trigger the upper tier
When setting fines, Article 83(2) requires consideration of, among other factors: the nature, gravity, and duration of the infringement; intentional or negligent character; measures taken to mitigate damage; previous infringements; and cooperation with the supervisory authority.
ISMS and Trust Center: Two Sides of the Same Coin
GDPR requirements cannot be met with a single system. Governance requires structure — an ISMS is indispensable for this. However, Articles 28, 33, and 34 additionally require operational capabilities:
- Breach notification within 72 hours — to supervisory authorities and, where applicable, data subjects
- Documentation of all breaches — including those not subject to notification
- Structured assessment and monitoring of processors
- Demonstrable due diligence in selecting and continuously monitoring service providers
The Two Directions of a Trust Center
A Trust Center not only supports inbound assessment of your own service providers — it also solves a practical problem on the outbound side: Organizations acting as processors must provide their customers with the information required under Article 28(3)(h).
In practice, this means: Every potential or existing customer can — and will — request evidence. A Trust Center consolidates this documentation in one professional location:
| Document | Purpose | GDPR Reference |
|---|---|---|
| Data Processing Agreement (DPA) | Standard contract for signature | Art. 28(3) |
| Technical and Organizational Measures (TOMs) | Evidence of security measures | Art. 32 |
| List of Sub-processors | Transparency about sub-processors | Art. 28(2) |
| Certifications (ISO 27001, SOC 2) | Evidence of sufficient guarantees | Art. 28(5), Art. 42 |
| Audit reports and penetration test summaries | Independent assessment of measures | Art. 28(3)(h) |
| Security policies | Documentation of internal processes | Art. 32 |
| Records of processing activities | Overview of data processing | Art. 30 |
| Data Protection Impact Assessments (where applicable) | Risk assessment for critical processing | Art. 35 |
Without a Trust Center, this communication runs through email, individual requests, and manual processes — time-consuming, error-prone, and difficult to scale. With a Trust Center, reactive document searches become proactive demonstration of compliance.
The Dual Perspective
Many organizations are simultaneously controllers (vis-a-vis data subjects) and processors (vis-a-vis their customers). A Trust Center addresses both roles:
As a Controller (Inbound):
- Assessment and monitoring of your own processors
- Collection and maintenance of DPAs, TOMs, and certificates from service providers
- Documentation of due diligence in selection
As a Processor (Outbound):
- Provision of all evidence to customers in one place
- Scalable response to security questionnaires and audits
- Proactive transparency instead of reactive document searches
Organizations that connect both worlds are well-positioned: An ISMS for internal governance, a Trust Center for external communication — in both directions. This transforms compliance effort into a functioning system and documentation into true resilience.
Sources
- Regulation (EU) 2016/679 (GDPR) – Full Text – Official Journal of the European Union. The complete text of the General Data Protection Regulation.
- gdpr-info.eu – Article 28 (Processor) – Requirements for data processing.
- gdpr-info.eu – Article 32 (Security of Processing) – Technical and organizational measures.
- gdpr-info.eu – Article 33 (Notification to Supervisory Authority) – 72-hour deadline for data breaches.
- gdpr-info.eu – Article 34 (Communication to Data Subject) – Communication in high-risk cases.
- gdpr-info.eu – Article 83 (General conditions for imposing administrative fines) – Penalty framework.
- EDPB – Guidelines 9/2022 on personal data breach notification – Guidelines on personal data breach notification (Version 2.0, March 2023).