GDPR Art 28 Robots: DPA before the pilot
GDPR Art 28 robots: mandatory content, TOMs, sub-processors, works council, liability. Operational checklist for DPOs before pilot start.
GDPR Art 28 Robots: why the DPA is the first document before the pilot
A patrol robot is a mobile data collection platform. RGB cameras, triggered microphones and thermal sensors deliver personal data on staff, suppliers, visitors and unauthorised third parties. This applies from the first test run, not only from productive operation.
The allocation of roles is unambiguous. The operator remains the controller under Art 4 No. 7 GDPR because the operator defines the purpose and means of the patrol. Quarero is the processor under Art 28 GDPR. In pilot discussions this distinction is regularly misrepresented as joint controllership under Art 26. That is wrong: Quarero does not decide on patrol routes, detection thresholds or retention at the specific site.
Without a signed data processing agreement (DPA) before commissioning, the operator moves into the scope of Art 83(4) GDPR. The fine ceiling is EUR 10 million or 2 percent of the group's worldwide prior-year turnover, whichever is higher. The DPA is not an annex to be filed later. It is an operational steering document for retention periods, sub-processor changes and audit rights.
For KRITIS facilities the situation tightens. The KRITIS regulation defines thresholds and obligations for operators of critical installations under § 8a BSIG. Data protection and IT security must be reflected in one consistent protection concept, not in separate binders. Treating the DPA as an annex to the framework contract produces exactly this inconsistency.
Next step: align KRITIS requirements under § 8a BSIG against your own scope of application before the DPA is negotiated.
Mandatory content under Art 28(3) GDPR
Art 28(3) GDPR lists minimum content. For a patrol robot this content must be formulated specifically, not in boilerplate phrases.
Subject and duration. Perimeter patrol with QR-2 for 24/7 outdoor perimeter or QR-3 with LiDAR and drone detection over a minimum term of 24 months. Renewal is agreed separately.
Nature and purpose. Detection of unauthorised access, person detection as a bounding box, audio anomalies on defined trigger, inventory checks at gates. Excluded are behavioural analysis of individual employees, time recording via the robot and biometric identification.
Data categories. Image recordings, triggered audio sequences, robot self-position, timestamps, sensor alarms. No storage of biometric templates, no facial matching database.
Categories of data subjects. Plant employees, external service providers with regular access, visitors and unauthorised third parties. Each category is recorded separately in the Art 30 record of processing.
Instructions. Quarero processes exclusively on the documented instructions of the operator. This covers route changes, detection thresholds, data export to authorities and any potential cross-border transfer. Oral instructions are confirmed in writing within 48 hours.
Next step: review the DPA draft clause by clause against these five points, not as a block sign-off.
Technical and organisational measures (TOMs)
The TOMs are an annex to the DPA and must describe the reality of the installation, not marketing statements.
Encryption. AES-256 for stored image data on the robot, TLS 1.3 for transmission to the control centre. Key rotation every 90 days, documented in the audit log.
Pseudonymisation. Persons are handled in real-time processing as bounding boxes with a numeric tracking ID. Names, facial features and licence plate matching do not occur. Re-identification is only possible through manual review by authorised operators.
Access restriction. Role-based authorisation concept with three tiers: operator, shift lead, administrator. MFA on all accounts. Full audit log with timestamp, user action and affected record. Retention at least 12 months.
Retention periods. Standard 72 hours for non-incident recordings. 30 days where an incident is documented with an internal case number. Longer retention only on written instruction of the operator, for instance due to a criminal complaint.
Physical security. Robot housing sealed, tamper detection with immediate alarm to the control centre and automatic data lock. Maintenance only by certified technicians under a documented four-eyes principle.
The EU Machinery Regulation 2023/1230 covers safety functions of autonomous systems including data processing. Tamper detection and data lock are therefore relevant not only under data protection law but also under product safety law.
Next step: have the TOM annex mirrored by the internal IT security officer against the current risk analysis.
Sub-processors and third-country transfer
The most frequent point of dispute in DPA negotiations is the sub-processor chain. It must be named conclusively.
Quarero lists all sub-processors by name in the DPA: cloud hosting, maintenance partners, hardware suppliers with remote access capability. Blanket clauses such as "further service providers as required" are inadmissible and are deleted.
Hosting of sensor data takes place exclusively in EU data centres, primarily Frankfurt and Zurich. US cloud providers are excluded, also via EU subsidiaries. This removes the Schrems II discussion on standard contractual clauses and transfer impact assessment for this category.
A change or addition of a sub-processor requires 30 days' prior notice in text form. The operator has a right of objection. If the objection cannot be resolved, a special termination right applies without contract penalty.
Transfer to third countries without an adequacy decision of the EU Commission is excluded. Switzerland is unproblematic under the 2024 adequacy decision. For Quarero Schweiz GmbH as contracting party, the Swiss FADP applies in addition. For DACH operators the DPA stipulates that the stricter standard applies in each case, in practice usually GDPR.
Next step: request the list of sub-processors as a closed annex to the DPA and anchor it in the internal supplier register.
Signage, works council and information duties
Even the best DPA clause fails if external communication is incomplete.
Art 13 GDPR requires visible signage at all entrances to the patrolled area. In plants with international workforces, bilingual signage (German plus English or the second most common plant language) is mandatory. A QR code on the sign leads to the full data protection notice with controller, purposes, legal basis, retention period and data subject rights.
Co-determination under § 87(1) No. 6 BetrVG is mandatory as soon as the robot is suitable for monitoring the behaviour or performance of employees. This suitability is assumed for camera-based systems, regardless of the actual purpose. The works agreement must be concluded before pilot start, not in parallel.
Minimum content of the works agreement: exclusion of performance and behaviour monitoring, exclusion of facial recognition and biometric identification, involvement of the data protection officer on changes, works council rights to inspect the record of processing, escalation path on suspicion.
Operator training is documented. Breaches of the training concept constitute a contract violation under Art 28(3)(b) GDPR. This must be explicitly anchored in the DPA so that Quarero does not tacitly push this duty back to the operator.
Next step: request template texts for the works agreement from Quarero, adapt them through your own legal department and works council counsel.
Audit, evidence and liability in case of damage
The DPA defines how the operator can demonstrate its controller role.
The operator has an on-site audit right at least once per year, with 14 days' prior notice in text form. Cause-based audits, for instance after an incident, are possible without notice period. Quarero provides a named contact and access to the affected systems.
Without separate request Quarero delivers an updated TOM report and a summary of the latest penetration test once a year. Full pentest reports are handed over on request under NDA, since they contain vulnerability information.
The notification duty for a data breach is strictly framed: Quarero notifies the operator within 24 hours so that the operator can keep the 72-hour deadline under Art 33 GDPR towards the supervisory authority. The notification contains the nature of the breach, affected data categories, estimated number of data subjects and immediate measures taken.
In the internal relationship Quarero is liable for its own breaches, such as insufficient encryption or unauthorised sub-processors. The operator is liable for instruction decisions, such as faulty route definitions or missing signage. This separation is to be expressly included in the DPA, because supervisory authorities often address both sides when imposing fines.
Insurance evidence: Quarero maintains cyber and operating liability insurance with minimum cover of EUR 5 million per case. Evidence is transmitted to the operator annually without prompting.
Next step: lodge the escalation chain for notifications in internal incident management, with phone and secondary channel.
Interface with NIS-2 and the KRITIS Umbrella Act
The Art 28 GDPR DPA does not stand alone. It is one element of a layered compliance framework.
The NIS-2 Directive requires supply chain security and personal responsibility of management bodies. The Art 28 GDPR DPA is part of the evidence for adequate supplier management. Working with boilerplate clauses here weakens the NIS-2 documentation in parallel.
For KRITIS operators the rule is: data protection concept and protection concept under § 8a BSIG must be consistent. If the DPA provides a 72-hour retention period but the KRITIS protection concept requires forensic retention of 90 days, the contradiction is documented and open to attack.
Incidents with a personal data element trigger parallel notification duties: BfDI under Art 33 GDPR, BSI under § 8b BSIG for KRITIS, BBK for physical security incidents under the KRITIS-Dachgesetz. The ministerial draft of the KRITIS Umbrella Act couples physical and IT security obligations. A unified notification path reduces errors under time pressure.
Board liability under NIS-2 also covers inadequate DPA design for security-critical service providers. A DPO who waves through a weak template pushes the risk upwards. Operational details on this are in Board liability under NIS-2.
Recommendation: review the DPA and the KRITIS protection concept in the same compliance cycle, not in separate tracks with different update states.
Next step: set up a unified audit calendar for NIS-2 compliance, GDPR and the KRITIS protection concept.
Operational checklist before pilot start
The following sequence has proven robust in pilot projects over the past 24 months.
Request the DPA draft. Quarero delivers the draft within five working days after the Letter of Intent. Data protection officer and legal department review in parallel. Signature before hardware delivery, not before commissioning. Hardware on the yard without a DPA already creates process pressure.
Conduct the DPIA. A data protection impact assessment under Art 35 GDPR is mandatory for video-based patrol on publicly accessible plant area. The DPIA documents risks, measures and residual risk assessment. It is the basis for the proportionality review.
Conclude the works agreement. Request template texts from Quarero, adapt through works council counsel. Plan negotiation at least four weeks before pilot start. The EN ISO 13482 sets safety requirements for personal care robots and is the reference frame for autonomous mobility in mixed operation. This standard is to be referenced in the works agreement as a safety standard.
Install signage. Mount signs before day 1, document locations photographically, store the images in the DPIA file. Without verifiable signage the legal basis under Art 13 GDPR is not fulfilled.
Complete the record of processing. Enter retention concept, data categories, recipients and transfers into the record under Art 30 GDPR. Name the responsible person by name, not just by function.
Document training. Operators and shift leads are trained before pilot start. Archive training records with signature. Repeat annually, on a cause basis when systems change.
Anyone who has closed these six points before hardware delivery enters the pilot without open data protection risks. The economic classification of the model is provided by the Wachschutz TCO comparison. The contract structure itself is described in detail in the Robotics-as-a-Service model.
If your data protection and KRITIS documentation is to be prepared for a pilot with patrol robots, start with the Robotics-as-a-Service model and request the DPA draft before any hardware planning.