The processor under the GDPR
The GDPR does not provide for the possibility to designate a processor inside the organisation of the controller. The Italian Data Protection Code in force before the GDPR provided that the controller could designate a processor on an optional basis. The GDPR exclusively and expressly governs the case of designation of a processor identifying it in a third party (be it legal person, natural person, organisation or public body).
Within the organisation of the controller, the ex-internal processor is as any person acting under the authority of the controller (person authorised to data processing). The controller must ensure that these persons commit themselves to confidentiality and carry out data processing only on instructions given in writing from the controller.
How to select and appoint a processor
The processor cannot be chosen casually and without any preventative selective criteria. The controller shall select the processor among entities which can appropriately ensure, on account of their experience, capabilities and reliability, thorough compliance with the provisions set out in the GDPR, including the security of processing and the protection of the rights of data subjects. The processor must, in addition, undertake to carry out data processing only on the instructions received from the controller.
The GDPR is very strict as regards how to appoint the processor and the instructions that the processor shall respect to perform data processing.
The GDPR requires that processing by a processor shall be governed by a service contract which determines the specific tasks. The contract shall bind on the processor with regard to the controller and set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. This means that the features of data processing carried out by the processor need to be detailed.
The obligations and responsibilities of the processor
The obligations to which the processor is subject are to be assessed with respect to its own activity and its organisation, regardless of the obligations of the controller. Among others, there are, therefore:
1. maintenance of a Record of all categories of processing activities carried out on behalf of each controller
2. if obliged by the GDPR or on an optional basis, designation of the Data Protection Officer
3. implementation of adequate organisational and technical security measures
4. if not established in a State of the European Union, designation of a representative in the State for the performance of obligations of the GDPR
5. identification and designation of persons authorised to data processing, binding them to confidentiality and giving them documented instructions.
The processor shall promptly inform the controller if, in its opinion, an instruction received infringes the GDPR.
If a processor carries out processing infringing the GDPR or does not abide by the instructions given by the controller, by determining the purposes and the means of processing, the processor shall be considered to be a controller in respect of that processing.
Lastly, if the controller has given prior general or specific authorisation, the processor can engage other processors and is held responsible for their infringements of the GDPR.