According to the GDPR, a 'processor' is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. There must exist a valid contract between controller and processor. A key consideration is that the conditions of the contract mean the processor has no scope to use the data for any of its own purposes. In addition, the processor does not collect any information itself. All the personal data it holds in connection with its provision of the service is provided by the controller.
The existence of a processor depends on a decision taken by the controller, who can decide either to process data within his organisation, for example through staff authorised to process data under his direct authority. Two basic conditions for qualifying as processor are, on the one hand being a separate legal entity with respect to the controller and, on the other hand processing personal data on the controller's behalf. This processing activity may be limited to a very specific task or context or may be more general and extended.
The most important element is the prescription that the processor acts on behalf of the controller. In this perspective, the lawfulness of the processor's data processing activity is determined by the mandate given by the controller. A processor that goes beyond its mandate and acquires a relevant role in determining the purposes or the essential means of processing is a (joint) controller rather than a processor.
In your GDPR compliance app, you will find that:
- If you, as a controller are also a processor, these details must be included in your Records of Processing report
- The details of any processors who may be processing on behalf of your organisation, must be entered through your Data Mapping
- There is a section called Processors where you maintain all contracts
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018