A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Order processing - examples:
- Placing an order with a company for the destruction of files / documents / data carriers;
- Hiring a marketing agency to send out advertising letters or evaluate website analyses;
- Authorisation of an agency to recruit new employees for the company;
- Commissioning a company for external data storage;
- Use of cloud systems for customer and personnel management.
Control of the processors
The controller must specify that the processor (Art. 28, para. 3):
- processes the personal data only on its documented instructions;
- ensures that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality;
- takes all measures required pursuant to Article 32 (Security of processing);
- is able to use appropriate technical and organisational measures to assist him/her (to the extent possible) in fulfilling his/her obligation to respond to requests for the exercise of data subjects' rights;
- upon completion of the provision of the processing services, either erases, destroys or returns all personal data;
- provides all information necessary to demonstrate compliance with the obligations laid down in Article 28 and enables and contributes to verifications, including inspections, carried out by the responsible person or another auditor appointed by the responsible person.
Important: The controller is responsible for the compliance of its processors with the GDPR. Working with processors that do not comply with the GDPR requirements will therefore result in fines for both those processors and the controller.
Tasks / Duties of the Processor
The processor must take care of the following points:
- Appointment of a data protection officer;
- Maintenance of a processing directory;
- Cooperation with the supervisory authority in the event of a data protection incident;
- Ensure the security of processing by implementing appropriate TOMs;
- Compliance with restrictions on data transfers to third countries;
- If the processor is located outside the EU: Appointment of an EU representative.
The controller must also ensure that the processor is able to assist him with these points:
- When processing data subject submissions (under Art. 15);
- For own security measures (according to Art. 32);
- When reporting data protection incidents to the supervisory authority (according to Art. 33);
- When notifying data subjects in the event of a data protection incident (under Art. 34);
- When carrying out data protection impact assessments (under Art. 35);
- During consultation with the supervisory authority (according to Art. 36).
Minimum content of the contract
The controller must conclude a contract in written or electronic form with all its processors. This contract must be verifiable in the event of an enquiry by the supervisory authority. It must have the following minimum content :
- Subject matter, duration, nature and purpose of the processing;
- Type of personal data;
- Categories of persons concerned;
- Duties and rights of the person responsible;
- Duties of the processor;
- subcontracted processors, if applicable;
- Data processing only on the documented instruction of the data controller;
- Obligation of the employees of the processor to maintain confidentiality;
- Protection of personal data through appropriate technical and organisational measures (TOMs).
A sub-processor or sub-contractor is any contractor who processes personal data of the controller on behalf of the processor.
- The controller has the right to request information from its processors as to whether other processors are used.
- He also has the right to object to certain sub-processors.
The controller must also ensure that the contract between the processor and the sub-processor contains the minimum content required.
In the event of breaches of duty by the sub-processor, the processor shall be liable to the controller.
Jointly responsible persons (Art. 26)
If two or more controllers jointly determine the purposes and means of processing, they are joint controllers (Art. 26).
The data subject may exercise his or her rights under the GDPR with and against each of the controllers.
The agreement between the joint controllers must specify in a transparent manner which of them fulfils which obligation under the GDPR. This applies in particular to the exercise of data subjects' rights and compliance with the information obligations under Articles 13 and 14.
The agreement must also duly reflect the respective actual functions and relationships of the jointly responsible persons vis-à-vis data subjects.
The essentials of the agreement must be made available to those affected.
Each of the jointly responsible parties is liable for the entire damage in accordance with Art. 82, para. 4 in the event of unlawful data processing, unless they can prove their lack of fault (Art. 82, para. 3).
If you have not yet analysed your security level with our free application, register here!