What is a data processor?
Definition of a data processor, an overview of some main tasks and duties of the data processor towards the data controller and data subject, contractual and data protection obligations of the data processor and what data controllers must do when selecting a data processor under the GDPR.Two terms which are constantly used in the text of the GDPR and all that gets written around the GDPR, from the guidelines of the Article 29 Working Party to the recommendations of supervisory authorities, are the controller and the processor.
The controller or data controller is simply the organization (a legal person, agency, public authority, etc.) or the natural person which, alone or depending on the organization and personal data processing activity, in collaboration with others defines what needs to happen with the personal data (and also collects personal data) and obviously is key in personal data protection.
The definition of a data processor and variety of data processors
The processor or data processor is a person or organization who deals with personal data as instructed by a controller for specific purposes and services offered to the controller that involve personal data processing (remembering that processing can be really many things under the GDPR)
The formal definition of the processor as you can read it in the GDPR Articles (GDPR Article 4):
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Under the GDPR the controller and data processor have many similar duties and need to adhere to many similar principles. In comparison with the predecessor of the GDPR not that much has changed regarding what a data processor is.
The main difference, however, is that the GDPR has a really different stance with regards to data processors whereby they have duties and responsibilities that are directly applicable and can be directly enforced and GDPR compliance is a shared obligation as you will discover.
Moreover, data processors need to assist controllers in various circumstances where relevant, for example in a potential personal data breach notification or in considering a Data Protection Impact Assessment (more examples below).
And the principles of GDPR Article 5 regarding personal data processing apply to data processors just as much as they apply to data controllers.
Some examples of data processors:
The HR department of your organization (the controller) has methods to process personal data of candidates and employees that need to be protected and used. Some of those HR data processing data activities (or all of them or anything in-between) could be outsourced. The company you outsource to then is a processor.
Your marketing team processes personal data of potential and existing customer. When it works with an email marketing company or agency, for instance, that uses these data for campaigns, the latter are processors.
You might have outsourced the inbound contact center activities of your organization or now and then use a call center when you want to enable people to dial in to a specific number in the scope of a campaign on TV and so on. The contact center then becomes the processor, capturing information from the people who call in – the data subjects.
There are of course many more potential examples and often processors will work with other processors (sub-processors), several controllers will work with one processor, you might use several processors for one task (e.g. several parcel delivery firms if you sell a lot online) and so forth. Maybe your marketing agency works with partners for specific tasks whereby these partners also process personal data and thus become processors.
The processor never owns the personal data. The same goes for the controller who doesn’t own the personal data of his customers, prospects, employees etc. The personal data belong to the natural person.
Yet, the controller calls the shots on how and why personal data are used, as long as this of course happens in a GDPR compliant way.
If consent is chosen as the basis for lawful processing, then all rules regarding consent apply. In practice, depending on the type of personal data processing activity, organizations work with several methods of lawful processing and with several processes and processors.
The complexity of data processors
It’s clear that a controller has a responsibility with regards to the processors he works with (if you know they don’t comply with the GDPR rules, you might want to consider other partners) but that the processor also can be held liable, along with the controller or other processors, in case of GDPR infringements that could lead to GDPR fines.
Both controllers and processors have their duties with regards to customers, supervisory authorities and more in the scope of personal data protection and the GDPR, and beyond. That’s why contracts exist.
It all sounds simple but can be complex. Among the many reasons it can be complex:
the reality of an organization with multiple departments, tasks, processors, partners etc.,
the fact that processors can sit far outside the EU,
the fact that the definition of processing has broadened a lot under the GDPR (it’s pretty much anything you can imagine regarding personal data, including storing),
the definition of personal data broadened,
there are special categories of data,
identifiability is important (some processors will have specific data enabling to identify an individual; known as identifiers or personally identifiable information or PII; other processors will have other data or mixes) and, as mentioned,
the focus on data processors, as well as their liabilities and responsibilities, have changed.
Think about that logistics example again: also the driver who delivers packages and by definition carries around personal data such as name, address and so on of customers who are waiting for their parcels is (employed by) a processor, unless the company fulfils its own orders, which probably has more data about those customers than the driver has and so on. The more data and identifiers you have, the higher the risks. Yet, all processors are key in the full chain.
Data processor obligations – key GDPR Articles
The general obligations of personal data processors are explained in GDPR Article 28. However, the first paragraph really is a duty for the controller with regards to liability and, as mentioned, the need to carefully select processors.
Simply said, controllers must make sure they work with processors who offer enough guarantees regarding their actual capability to process personal data in line with the GDPR and protection of the rights of the data subject. Or, turning it around: processors need to be GDPR compliant.
The data processor can’t bring in other data processors unless….
The data processor also can’t bring in another processor without a clear permission from (and thus notification duty towards) the controller.
So, if you have outsourced a number of tasks whereby personal data is involved and the company you outsourced it to is too busy and needs to find another company for one specific task (or finds that cheaper as happens so often in so many business areas) as a controller you must know and approve that. This also goes when there are (even temporary) changes.
The contract between data controller and data processor
There also must be a contract or some other approved sort of legal basis between the data processor and data controller that doesn’t just stipulate the overall kind of things you find in such a contract but also should clearly mention the subject-matter, duration, nature and purpose of the involved data processing, as well as the type of personal data and categories of data subjects with, on top the obligations and rights of the controller.
That is pretty far-reaching and impactful for processors of course, especially as
the GDPR mentions 8 processor duties the contract should contain so do check them all out in Article 28 as there are even more conditions to meet for such a contract,
there are specific stipulations for processors who are certified (GDPR Article 42 and GDPR Article 43),
there is a duty for processors to assist controllers in ensuring secure processing (GDPR Article 32), in case a notification of a personal data breach might be needed (GDPR Articles 33 and 34), seeing whether or not a DPIA (Data Protection Impact Assessment) might be needed (GDPR Article 35) and where needed seek a prior consultation (GDPR Article 36).
Processors (and sub-processors or anyone working for processors) can never process personal data on behalf of controllers except when they have clear instructions regarding the processing of those data. So, no initiatives when you have no clear mandate (GDPR Article 29).
Data processors, record keeping and secure processing
A data processor also must keep a record of all categories of processing activities it has carried out on behalf of a controller, just as a controller must do so as well (GDPR Article 30).
This record also must contain a range of information as mentioned in the same Article. That includes the name and contact details of all controllers the processor works for (in the scope of personal data processing of course), of the processor himself, of the data protection officer (if there is one), on potentional transfers of personal data to a third country (often happening in outsourcing) and far more.
Just as controllers need to, processors must also cooperate with the supervisory authority when asked so (GDPR Article 31) and take all measures to ensure a sufficient level of security processing (GDPR Article 32).
Data processors and controllers: common duties, shared liability
As said the principles relating to the processing of personal data as established in GDPR Article 5 apply to processors and controllers alike. This goes for many other stipulations regarding tasks, duties and liabilities on several levels.
Don’t just see the data processor as an organization that performs data processing tasks AFTER the facts or after the personal data which are needed for the processing of it are made available to the processor.
It also is the other way around: a data processor often is an intermediary between the data subject and the data controller. If you work with platforms and tools and (thus) partners who capture personal data from data subjects in the scope of their job (e.g. online tools in the scope of your website, marketing campaigns, that earlier mentioned external contact center with inbound services, that HR company when it takes care of recruitment and any recruitment agency whatsoever you decide to use, ) and so forth, the data processor has to follow all those same GDPR rules and provides the data controller with the data and the records.
Last but not least, it’s clear that there are also additional rules to follow with regards to sensitive data, children and more for processors too. And in case of an infringement, both data controllers and processors de facto often will be liable, depending on their role in the infringement and much more. Yet, that is entirely different and highly individual matter.
More about how the role of data processor changed and why there is a shared liability in the presentation below.