Per the GDPR - ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
The carrying-out of processing by a processor shall be governed by a contract or other legal act under Union or Member State law. A key consideration is that the conditions of the contract mean the processor has no scope to use the data for any of its own purposes. In addition, the processor does not collect any information itself. All the personal data it holds in connection with its provision of the service is provided by the controller. (Useful for understanding the difference between a controller and a processor).
Unlike the old Directive, GDPR directly regulates data processors. The controller shall use only processors who provide sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the GDPR’s requirements, including for the security of processing. Adherence of a processor to an approved code of conduct or an approved certification mechanism may be used as an element by which to demonstrate sufficient guarantees.
Besides complying with requirements within the contract, processors will be required to comply with a number of specific obligations, including to:
maintain adequate documentation (Article 30)
implement appropriate security standards (Article 32)
notify the controller in the event of a breach (Article 33)
carry out data protection impact assessments (Article 35)
appoint a data protection officer (Article 37)
comply with rules on international data transfers (Chapter V)
cooperate with national supervisory authorities (Article 31)
Processors will be directly liable to sanctions (Article 83) if they fail to meet these criteria and may also face private claims by individuals for compensation (Article 79).
Impact on controllers?
Existing processor relationships will need to be reviewed and assessed to determine current compliance with GDPR. Data privacy impact assessments may need to be carried out. Supervisory authorities may need to be consulted. In many cases existing contracts are likely to need optimisation. These negotiations may not be straightforward given the increased risk and compliance burden for processors.
What if the processor is outside the EU?
Article 3 (2) states:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018