Though responsibility to the data subject generally falls on the data controller, processors are generally responsible because of the contractual agreement between the controller and processor.
As a processor, it is important to note that the GDPR mandates that where processing of personal data is to be carried out on behalf of a controller, the controller must only use processors that provide sufficient guarantees in relation to the implementation of appropriate technical and organisational measures.
While the above places the burden on the controller to ensure that they only use compliant processors, the GDPR also requires that processing of personal data by a processor on behalf of a controller be governed by a contract (Data Processing Agreement). Data processing agreements must be legally binding on the processor and set out the relationship, nature and scope of the processing activities that are permitted under the contract.
The key requirements that data processing agreements must include is provided for under Article 28 of the GDPR. This includes, that the processor:
It is also important to note that if data processors wish to engage other processors (sub-processors), they must first seek consent from the relevant controller. Additionally, processors must enter into legally binding contracts with any sub-processors, which cover they key requirements listed above.
As a processor it is essential to not overstep the range of processing activities permitted under the relevant data processing agreement. Not only can a processor may become liable under breach of contract, but if it is established that the processor determines the means and purposes of processing, then the processor may be considered a controller and thus attract the same obligations of a controller under the Regulations (Article 28.10).