Data Processor: Key Responsibilities

Author: Ian Aldridge, Progressive Legal

In today’s data-driven world, understanding the obligations of a data processor under the General Data Protection Regulation (GDPR) is crucial.

Highlighting the responsibilities laid out in the GDPR, the article delves into the requirements for data processors, including the necessity for Data Processing Agreements (DPAs) and the stringent criteria these agreements must meet to ensure compliance and safeguard personal data effectively.

What’s the difference between a data processor and a controller?

Data controllers are crucial entities in personal data handling, tasked with setting the parameters for how and why personal data is utilised. When multiple controllers collaborate, they’re known as “joint controllers,” sharing responsibilities and potential liabilities regarding data subjects.

On the flip side, a data processor acts under the directive of these controllers, handling personal data strictly within the boundaries set forth by them. This includes a key limitation: data processors cannot subcontract to other processors without explicit permission from the controller, ensuring a tightly controlled processing environment.

What are the key responsibilities of a data processor?

Though responsibility to the data subject generally falls on the data controller, processors are generally responsible because of the contractual agreement between the controller and processor.

As a processor, it is important to note that the GDPR mandates that where processing of personal data is to be carried out on behalf of a controller, the controller must only use processors that provide sufficient guarantees in relation to the implementation of appropriate technical and organisational measures.

While the above places the burden on the controller to ensure that they only use compliant processors, the GDPR also requires that processing of personal data by a processor on behalf of a controller be governed by a contract (Data Processing Agreement).

Data processing agreements must be legally binding on the processor and set out the relationship, nature and scope of the processing activities that are permitted under the contract.

What are the requirements of data processing agreements?

The key requirements that data processing agreements must include is provided for under Article 28 of the GDPR. This includes, that the processor:

– Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

– Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

– Takes all measures required pursuant to Article 32;

– Respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

– Taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

– Assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

– At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

– Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

It is also important to note that if data processors wish to engage other processors (sub-processors), they must first seek consent from the relevant controller. Additionally, processors must enter into legally binding contracts with any sub-processors, which cover they key requirements listed above.

Key takeaways

As a processor it is essential to not overstep the range of processing activities permitted under the relevant data processing agreement.

Not only can a processor may become liable under breach of contract, but if it is established that the processor determines the means and purposes of processing, then the processor may be considered a controller and thus attract the same obligations of a controller under the Regulations (Article 28.10).

We charge $700 +GST for a tailored GDPR compliant privacy policy. Get in touch with us below and request your privacy policy today.

Need Privacy Help?

Please get in touch with us today via phone or the contact form on this page.

1800 820 083