Skip to 0 minutes and 7 seconds Like sailors under captain’s orders, data processors process data on behalf of data controllers, and under controllers’ instructions. Data processors have two categories of obligations under the GDPR. The first set of obligations are similar to the obligations of data controllers, with slight differences in scope. The second set of obligations are special contractual obligations based on their status and their relationship to the controller. This video will provide a general overview of data processors’ obligations. Like controllers, processors have some general obligations under the GDPR. This includes complying with the GDPR data processing principles, and protecting the rights and freedoms of data subjects. Processors need to be able to demonstrate their compliance upon request.
Skip to 0 minutes and 57 seconds Like controllers, processors also have to maintain records of all processing activities, and to make them available upon request by data protection authorities. In some cases, they may also need to appoint data protection officers or representatives, and cooperate with data protection supervisory authorities in the performance of their tasks. Processors furthermore have to ensure a level of security by taking appropriate technical and organisational measures. When transferring data to a third country upon the instruction of data controllers, processes have to comply with the conditions under the GDPR. Other processors’ GDPR obligations are derived from their special position and relationship with data controllers. Most importantly, a processor cannot engage another processor without prior specific or general written authorisation of the controller.
Skip to 1 minute and 47 seconds In general, processing has to be governed by a contract or other legal act under EU or national law that is binding on the processor. Such a contract or legal act, among other things, defines the subject matter and duration, nature and purpose of the processing, the type of personal data, and categories of data subjects. Such a contract furthermore defines other obligations for processors, and how they assist data controllers in fulfilling their GDPR obligations. This includes, for example, the obligation to process data only based on a documented instruction from a controller, provisions on data transfers outside the EU, and ensuring confidentiality and data security.
Skip to 2 minutes and 30 seconds It further includes provisions on responding to requests by data subjects, engaging other processors, data handling, and breach of data controller’s instructions. We will further discuss what these obligations mean, and how to implement them in your data processing practices in the following steps for this week.
An overview of a data processor's obligations
Processors process data on behalf of controllers and under controller’s instructions. Processing has to be governed by a contract or other legal act under EU or national law that is binding on the processor. This contract or legal act, among other things, determines certain obligations for processors and how they assist data controllers in fulfilling their GDPR obligations. Some of these obligations are similar to the obligations of data controllers.
Article 28 GDPR determines that obligations of processors in particular include:
- To comply with the GDPR data processing principles and to protect the rights and freedoms of data subjects;
- To demonstrate compliance with the GDPR;
- To maintain records of processing activities and make them available upon request by supervisory authorities;
- To appoint data protection officers or representatives;
- To cooperate with supervisory authorities in the performance of their tasks;
- To ensure a level of security by taking appropriate technical and organisational measures;
- Specific obligations as regards transfer of data outside the EU.
© University of Groningen