GDPR Learning Hub

login/sign up
Menu
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Roles

Processors play an important role under the GDPR

When an actor processes personal data on behalf of a controller, the processing takes place in the role of personal data “processor”. It can be a company, an organisation or a public body that processes personal data in the role of processor. What is crucial for the role is that it is not the processor who decides how and why the personal data should be processed.

Instructions from the controller

The controller gives instructions to processors on how to process the personal data. The instructions shall be documented in writing. In addition, the controller and the processor must enter into a data processing agreement with each other. This requirement is set out in Article 28 of the GDPR. In addition, the agreement must be in writing in order to be valid. 

It is not allowed for the processor to process the personal data for any own purposes. In addition, it is the controller who determines the purpose of the processing. The job description can be very limited or general.

Examples

  • An example of delimited positions is in the case of outsourcing of the sending of mail. 
  •   An example of a generally limited position may be an auditor who performs the payment of salary from the user entity to its employees (salary management). 

Please note that there may be cases where an instruction from the controller violates the GDPR. If the processor considers this, they shall inform the controller and have the right to stop the processing until the matter is investigated. 

Examples of companies that often process personal data in the role of processor

  •    Accounting firms 
  •   Marketing agencies
  •   Programming agencies 
  •   Laboratory 
  •   Cloud storage service provider
  •   Supplier of financial or accounting systems 

Processors have several obligations under the GDPR

theme_placeholder

Conclude a written data processing agreement

A processor must enter into a data processing agreement with the controller. This is stated in Article 28(3) of the GDPR and the contract must meet the specified minimum requirements. In addition, the data processing agreement must be in writing in order to be valid under Article 28(9) of the GDPR. This written requirement differs from many other types of contracts, which are equally valid oral as written.

theme_placeholder

Content of a data processing agreement

In the data processing agreement, the parties shall, inter alia, regulate: the duration, nature and purpose of the processing, the type of personal data and categories of data subjects, as well as the obligations and rights of the controller. The minimum content that the data processing agreement must contain in order to be valid is set out in Article 28(3) of the GDPR.

theme_placeholder

Written authorisation for the use of sub-processors

It is possible for a data processor to engage another data processor. A so-called “sub-processor”. For example, if a processor is programming apps, but is not good at statistics and therefore wants to hire another agency to help with this specifically. On the other hand, a sub-processor may only be engaged by a processor after the controller has given its prior consent. This requirement is set out in Article 28(2) of the GDPR.

theme_placeholder

Contracts with sub-processors

Under Article 28(4) of the GDPR, it is clear that a processor must enter into a data processing agreement with sub-processors engaged. This must be done before a sub-processor starts processing personal data on behalf of the controller. If the sub-processor does not comply with its data protection obligations, the original processor shall be fully liable to the controller for the performance of the sub-processor’s obligations.

theme_placeholder

List of instructions

Companies that process personal data must be able to prove that it complies with the GDPR, regardless of whether they process personal data in the role of processor or controller. For example, a processor should draw up a list of the instructions they have received from controllers.

Obligations of processors

Processors must keep a record of the processing of personal data in certain cases

As a general rule, smaller companies that are processors do not need to keep a register of their processing operations. However, they may need to do so, even though it is not a large company. For example, if the processing involves a high risk to the rights and freedoms of data subjects. The same applies to the processing of sensitive personal data. 

Companies with 250 or more employees must keep a register for the processing. Please note that it must be in writing and available in electronic format. In addition, the company shall make it available to the national data protection authority upon request. This is stated in Article 30 of the GDPR.

Notify the controller of any personal data breaches

A personal data breach is a type of security incident. It involves the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If a personal data breach occurs at the processor, they must inform the controller accordingly. In addition, it shall be done without undue delay. It is then the controller who may need to notify the breach to the supervisory authority within 72 hours. 

Take appropriate technical and organisational measures to protect personal data

Like controllers, a processor must protect the personal data they process by taking appropriate technical and organisational measures. For example, by encrypting files, implementing user permissions, multi-factor authentication, etc. 

The actual relationship determines whether a company is a processor or a controller

Just because a company considers that they are a data processor, and therefore enters into a data processing agreement with a data controller, does not mean that they are automatically a processor. In other words, it is the actual relationship that determines the role in which personal data is processed, not what is contained in a contract concluded between the parties. 

A company can be both a data controller and a data processor for different processing activities

A company may be the controller of certain processing activites, such as processing the personal data of its employees. In addition, the company may be a data processor for some of its processes that it performs for its customers. In other words, a company can be both a controller and a processor, depending on the processing activity in question. 

When the provision of processing services is terminated

Processors shall delete all personal data processed on behalf of the controller when the provision of processing services has been terminated. Alternatively, the personal data shall be returned to the controller. The controller has the right to choose between these two measures, pursuant to Article 28(3)(g) of the GDPR. In addition, the processor shall ensure that any copies of the personal data held by the processor are destroyed. Please note, however, that in some cases the controller may need to continue processing personal data, if required by a legal obligation.

Other data protection principles

Data protection officer (DPO)

Some companies need to have a data protection officer under GDPR. Data protection officers have an important role in the company and must, among other things, carry out checks, give advice and recommendations in the field of data protection. In addition, both data subjects and employees should be able to contact the data protection officer in case of any questions regarding the company’s processing of personal data. The data protection officer may perform several tasks within the company, provided that there is no conflict of interest. One such example could be if a person in the management is a data protection officer.

Want to learn more?

Read more
Scroll to Top