The data processor (DP) is the one that processes personal data for the account, on instruction and under the authority of the Data Controller (DC)-other than the employee of the DC. It can be a natural or legal person, public authority, agency or another body.
Useful? Embed this infographic on your website.
The GDPR requires the DP to commit with the protection of the data subject’s rights and compliance with this Regulation. In that sense, the following are its responsibilities:
1. Assess if you need to appoint a Data Protection Officer (DPO)
It is mandatory to appoint a DPO – Art. 37 GDPR: If you are an authority or public body (excluding courts acting in their judicial capacity) or, if your basic activities lead you to carry out, on behalf of your clients, a regular follow-up and systematic large-scale people or, if your core business brings you, on behalf of your customers, to deal with large-scale special data (“sensitive” data) or relating to criminal convictions and offences.In addition to the above, the DP can also appoint a DPO when it considers necessary to have an expert in charge of the concrete implementation and safeguard compliance with GDPR.
2. In case you need a DPO, provide with a position in line with art. 38 GDPR
If a DP must appoint a DPO, he or she should be involved promptly in all issues related to processing personal data. And whether or not they are an employee should be in a position to perform their duties and task in an independent manner.
3. Offer guarantees in relation to the implementation of appropriate technical and organizational measures.
The measures shall guarantee that the processing will meet all the requirement set in the GDPR and ensure the protection of the data subjects’ rights. For that, all the DP’s tools, products, applications or services, must respect the principles of data protection by design and by default.
4. Make a contract which governs all the processing activities to be provided to the DC.
Or other legal act under Union or Member State law binding the DP to the DC; where it is set out, among other things, (i) the subject matter of the processing; (ii) the duration of the processing; (iii) the nature of the processing; (iv) the purpose of the processing; (v) the type of personal data that is processed; (vi) the categories of data subjects; (vii) the obligations and rights of the controller.
5. In particular, stipulate the following:
Document Instructions, the DP will only act upon receipt of DC’s document instructions (evidence). This includes any international transfers unless it is required by law in which case, the DP shall inform the DC except when the law forbids to do so.
Guarantee Confidentiality, all DP’s staff processing the personal data must be committed to confidentiality duties or other appropriate statutory obligation of confidentiality.
Security of processing in line with 32 GDPR the DP must comply and demonstrate compliance with the implementation of technical and organizational measures that ensure a level of security appropriate to the risk.Register of Treatments, unless exempted in line with 30 (5) GDPR, it is under the DP and where applicable the DP’s representative, to maintain a register that lists all clients (DC or DP) and describes the treatments that its perform on their account. The register must be in writing and shall include all the points set in Art. 30 (2) GDPR.
Terms of engaging another processor, under the following conditions: (i) possession of a prior written authorization from the DC (general or specific in line with 28 (3) GDPR); (ii) the appointment has to be done by means of a written contract or other legal act under EU or Member State law, (iii) it must be subject to the same obligations as those provided in the contract with the initial DP and the DC; (iv) well-established data protection obligations. In particular, the technical and organizational measures; (v) Full liability shall remain on the initial DP in relation to the performance of the subcontractor’s obligations.
Duty to assistance to the DC, taking into account the nature of the processing carried out by the DP, the DP shall assist the DC with (i) the appropriate technical and organizational measures for the DC’s to respond the requests of the data subject’s in exercising their rights; (ii) the obligations of security processing; (iii) notification of personal breach to the supervisory authority; (iv) communication of personal breach to data subject; (v) data protection impact assessment, and if applicable, prior consultation.
Delete or Return all Personal Data, unless otherwise established by EU or Member State law, after the end of provision of the service the DP shall, at the choice of the DC, delete or return all personal data.
Demonstrate Compliance, the DP shall make available to the DC all the necessary information to demonstrate compliance. Allow carrying out audits, inspections, by the DC or auditor that the DC has mandated, and contribute to these checks.
Warning and Advice, the DP shall inform the DC without undue delay, if under its opinion, a DC’s instruction infringes the GDPR or other Union or Member State law.
6. Cooperate with the Supervisory Authority.
The DP must cooperate with the Supervisory Authority with the performance of its tasks.
7. Additionally, for DP established outside the EU – appoint a Representative.
If you carry out, on behalf of your client, data processing of persons in the EU; or, you offer, on behalf of your client, goods or services or follow the behavior of these people; the DP must appoint a representative in the EU.
- Adherence to approved Codes of Conduct or Certification Mechanism, the DP can adhere to any of the above instruments to demonstrate compliance with the obligations of the DC.
- A written contract between the DC and DP, include the electronic form and may be based in whole or in part on Standard Contractual Clauses which has been adopted directly by the Commission or by the Supervisory Authority in respect with the consistency mechanism and then adopted by the Commission. This includes when they are part of a certification mechanism, pursuant Art. 42 and 43 GDPR.
- Liability of a DP acting as a DC, without prejudice to the right of compensation and liability, the general conditions for imposing administrative fines and penalties established in the GDPR. If the DP infringes the GDPR, by determining the purpose and means of processing of the personal data, the DP shall be considered to be a DC and hence, fully liable in respect of that processing.
The lawinfographic of this article aims to help organisations to determine whether they are Data Processors or not; and, in case they are, clearly identify their duties under the law. This also should help consumers to recognise who is the Data Processor and what are their responsibilities towards the processing of their data.
Each lawinfographic has a visual presentation and keywords that will allow comprehending at a glance the main topic. The articles contain several examples and/or references that have been taken from the EU law, regulations, guidelines and opinions on the matter. If you require more information, do not hesitate to consult the lawinfographic sources below or reach me on LinkedIn.
Recitals 80 -83, 95-101, 108-110 Articles 25-50 of the GDPR
Article 29 Working Party: Guidelines: Data Protection Officers
Article 29 Working Party: Opinions and Recommendations: on the concept of “controller” and “processor”
Information Commissioner’s Office: Data Controllers and data Processors: what the difference is and what the governance implications are
Commission Nationale de l’Informatique et des Libertés: Guidelines for Data Processors