Skip main navigation

Processor’s obligations

Dr Bo Zhao discusses data processor's obligations under the GDPR.
© University of Groningen

Data processors carry out processing operations on behalf of controllers. If a processor, while processing, infringes the GDPR by determining purposes and means of the processing, this processor will be considered a controller based on Article 28.

Processors have to implement appropriate technical and organisational measures to meet GDPR requirements and to ensure protection of the rights of data subjects. In this regard, they have a number of obligations under Article 28 and other related provisions.

First and foremost, a processor needs to ensure that any processing meets the requirements of GDPR principles and ensures the protection of data subjects’ rights.

Contract Contract

Processing should be governed by a contract or other legal act under EU or Member State law which clarifies the processing details (processing duration, subject matter, nature and purpose of processing, type of personal data involved, etc.). Article 28 (3) lists detailed requirements to ensure legal compliance by the processor such as:

  • Act on documented instructions from the controller;
  • Ensure confidentiality, assist with legal compliance of the controller, respond to requests from data subjects;
  • Make available all information necessary to demonstrate compliance of the controller;
  • Take measures to assist the controller with ensuring security of processing;
  • Treat personal data after processing at the choice of the controller.

'Sailors' by 12019 via Pixabay © Sailors by 12019 via Pixabay

If a second processor is engaged by the processor to carry out specific processing activities on behalf of the controller the same legal obligations apply. If the second processor fails to fulfil its obligations, the first processor remains fully liable.

Based on Article 29 data processing can only take place based on instructions from the controller or if so required by EU or Member State law.

Furthermore, processors have other obligations similar or common to those of controllers, although with slight differences due to their different roles. For example, under Article 30 (2), a processor has the obligation to maintain a record of all categories of processing activities carried out on behalf of the controller. Other examples include the obligation to cooperate with supervisory authorities, security of data processing, notification of a data breach, to designate a data protection officer, etc.

If a processor transfers personal data to a third country or an international organisation outside the EU, special GDPR requirements need to be met. This will be further discussed in Week 4.

© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education