Skip main navigation

An overview of a data processor's obligations

Under the GDPR, data processers have many legal obligations to protect data subjects and their rights. Watch Melania Tudorica explain more.

Processors process data on behalf of controllers and under controller’s instructions. Processing has to be governed by a contract or other legal act under EU or national law that is binding on the processor. This contract or legal act, among other things, determines certain obligations for processors and how they assist data controllers in fulfilling their GDPR obligations. Some of these obligations are similar to the obligations of data controllers.

Article 28 GDPR determines that obligations of processors in particular include:

  • To comply with the GDPR data processing principles and to protect the rights and freedoms of data subjects;
  • To demonstrate compliance with the GDPR;
  • To maintain records of processing activities and make them available upon request by supervisory authorities;
  • To appoint data protection officers or representatives;
  • To cooperate with supervisory authorities in the performance of their tasks;
  • To ensure a level of security by taking appropriate technical and organisational measures;
  • Specific obligations as regards transfer of data outside the EU.
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now