The existence of a processor depends on a decision taken by the controller, who can decide either to process data within his organisation, for example through staff authorised to process data under his direct authority or to delegate all or part of the processing activities to an external organisation. Therefore, two basic conditions for qualifying as processor are, on the one hand being a separate legal entity with respect to the controller and, on the other hand processing personal data on the controller's behalf.
Furthermore, the role of processor does not stem from the nature of an entity processing data but from its concrete activities in a specific context. In other words, the processor may act at the same time as a controller for certain processing operations (think controller's own 'employees') and as a processor for others, and the qualification as controller or processor has to be assessed with regard to specific sets of data or operations.
In the GDPR compliance app's 'Records of Processing Activities' admin, you are required to indicate where, as a controller, you are also a processor.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018