Is it mandatory to appoint an internal processor?
Already before the GDPR the appointment of an internal processor was on an optional basis. The GDPR provides only for the appointment of external processors (companies, bodies, associations, natural persons). Now, the internal processor is considered as a person authorised to data processing.
What requirements should the processor have?
The processor shall be selected among entities which can appropriately ensure, on account of their experience, capabilities and reliability, thorough compliance with the provisions applying to data processing as also related to security matters. The controller shall choose only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects.
How should a processor be appointed?
The processor shall process data only on documented instructions given by the controller and for processing carried out on the controller’s behalf. The GDPR sets out that data processing shall be governed by a service agreement which is binding on the processor with regard to the controller. The contract shall set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
Should the processor be appointed only if processing relates to special categories of data or data relating to criminal convictions and offences?
The processor shall be appointed even if the processing concerns personal data which are not special categories of data or data relating to criminal convictions and offences. For instance, this obligation applies if data processing has the purpose of sending advertising e-mails or of packing parcels to be delivered to customers.
Is the controller responsible in case of processor’s infringements?
The controller is responsible: the GDPR requires that the controller has the obligation to supervise that the processor processes data in compliance with the provisions of the GDPR and in accordance with the instructions given in writing by the controller. Therefore, the controller is jointly responsible.