Processor
The processor under the GDPR
The GDPR does not provide for the possibility to designate a processor inside the organisation of the controller. The Italian Data Protection Code in force before the GDPR provided that the controller could designate a processor on an optional basis. The GDPR exclusively and expressly governs the case of designation of a processor identifying it in a third party (be it legal person, natural person, organisation or public body).
Within the organisation of the controller, the ex-internal processor is as any person acting under the authority of the controller (person authorised to data processing). The controller must ensure that these persons commit themselves to confidentiality and carry out data processing only on instructions given in writing by the controller.
Professional characteristics of the processor
The processor shall be selected among entities which can appropriately ensure, on account of their experience, capabilities and reliability, thorough compliance with the provisions applying to data processing as also related to security matters. The controller shall choose only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects.
How to appoint the processor
The GDPR is very strict as regards how to appoint the processor and the instructions that the processor shall respect to perform data processing.
The GDPR requires that processing by a processor shall be governed by a service contract which determines the specific tasks. The contract shall bind on the processor with regard to the controller and set out at least:
1. the subject-matter
2. the duration of the processing
3. the nature and purposes of the processing
4. the categories of personal data
5. the categories of data subjects
6. the obligations of the controller
7. the rights of the controller.
Such contract shall demonstrate that the processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects, as well as the ability to carry out data processing according to the instructions of the controller. The contract shall at least bind the processor:
1. to process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation
2. to ensure that the persons authorised to data processing have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
3. to implement the security measures provided by the GDPR
4. to engage another processor, only with prior written authorisation of the controller and to impose on the other processor by way of a contract the same data protection obligations set out in the contract between the controller and the processor
5. to assist the controller to respond to requests for exercising the rights of data subjects
6. to delete or return – at the choice of the controller – all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies
7. to make available to the controller any information necessary to demonstrate compliance with the requirements of the GDPR and to allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Obligations and responsibilities of the processor
The obligations to which the processor is subject are to be assessed with respect to its own activity and its organisation, regardless of the obligations of the controller. Among others, there are, therefore:
1. maintenance of Records of all categories of processing activities carried out on behalf of each controller
2. if obliged by the GDPR or on an optional basis, designation of the Data Protection Officer
3. implementation of adequate organisational and technical security measures
4. if not established in a State of the European Union, designation of a representative in the State for the performance of obligations of the GDPR
5. identification and designation of persons authorised to data processing, binding them to confidentiality and giving them instructions.
The processor shall promptly inform the controller if, in its opinion, an instruction received infringes the GDPR.
If a processor carries out processing infringing the GDPR or does not abide by the instructions given by the controller, by determining the purposes and the means of processing, the processor shall be considered to be a controller in respect of that processing.
Lastly, if the controller has given prior general or specific authorisation, the processor can engage other processors and is held responsible for their infringement of the GDPR.
Appointment of a sub-processor
The GDPR makes provisions for sub-contracting under certain conditions:
1. the processor shall have a prior written general or specific authorisation from the controller, before engaging other processors
2. in the case of a general authorisation, the processor shall previously inform the controller of the addition or the replacement of other processors, thereby giving the controller the opportunity to object
3. the processor shall impose on the other processor by way of a contract the same clauses and obligations set out in the contract between the controller and the processor
4. the contract between the processor and the sub-processor shall ensure adequate guarantees so that data processing meets the requirements of the GDPR, and that the rights of data subjects are protected.
Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
To learn more, read FAQs or contact me.
Leave a Reply