Data processors carry out processing operations on behalf of controllers. If a processor, while processing, infringes the GDPR by determining purposes and means of the processing, this processor will be considered a controller based on Article 28.
Processors have to implement appropriate technical and organisational measures to meet GDPR requirements and to ensure protection of the rights of data subjects. In this regard, they have a number of obligations under Article 28 and other related provisions.
First and foremost, a processor needs to ensure that any processing meets the requirements of GDPR principles and ensures the protection of data subjects’ rights.
Processing should be governed by a contract or other legal act under EU or Member State law which clarifies the processing details (processing duration, subject matter, nature and purpose of processing, type of personal data involved, etc.). Article 28 (3) lists detailed requirements to ensure legal compliance by the processor such as:
- Act on documented instructions from the controller;
- Ensure confidentiality, assist with legal compliance of the controller, respond to requests from data subjects;
- Make available all information necessary to demonstrate compliance of the controller;
- Take measures to assist the controller with ensuring security of processing;
- Treat personal data after processing at the choice of the controller.
© Sailors by 12019 via Pixabay
If a second processor is engaged by the processor to carry out specific processing activities on behalf of the controller the same legal obligations apply. If the second processor fails to fulfil its obligations, the first processor remains fully liable.
Based on Article 29 data processing can only take place based on instructions from the controller or if so required by EU or Member State law.
Furthermore, processors have other obligations similar or common to those of controllers, although with slight differences due to their different roles. For example, under Article 30 (2), a processor has the obligation to maintain a record of all categories of processing activities carried out on behalf of the controller. Other examples include the obligation to cooperate with supervisory authorities, security of data processing, notification of a data breach, to designate a data protection officer, etc.
If a processor transfers personal data to a third country or an international organisation outside the EU, special GDPR requirements need to be met. This will be further discussed in Week 4.
© University of Groningen