What are the actual Obligations of Data Processors?
If you’ve been following the latest data protection news, you might have heard that under the GDPR, you can be either a data controller or a data processor.
A “Controller’ is defined in the Regulation as: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
On the other hand the Regulation defines a processor as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
But the GDPR puts almost all the emphasis of enforcement on data controllers. So; what does a data processor have to do in terms of their obligations? They clearly have a very important role, even if it might not seem that way in purely legal terms.
Well, don’t fear; the info you crave is here.
A detailed list of the obligations on the processor that must be agreed to in their supplier contracts include:
- the subject matter, duration, nature and purpose of the data processing, together with the type of personal data concerned and the categories of data subject should be maintained;
- that personal data is only processed on documented instructions from the data controller, including with regard to international data transfers;
- that individuals authorised to process the personal data are subject to an obligation of confidentiality;
- that more prescriptive security measures are included;
- that the data controller is at minimum given notice of any sub-processors and have a right of objection;
- that all sub-processors are subject to the same contractual obligations as are imposed on the processor;
- that appropriate measures are taken to ensure the data controller can meet its obligations (e.g., to allow data subjects to exercise their rights); to keep data appropriately secure, to notify in the event of data breaches, to conduct data protection impact assessments and to consult with regulators where relevant;
- that all personal data is deleted or returned once the provision of services is completed; and to make available all necessary information and to allow for audits to be conducted in order to monitor compliance with the supplier contract.
As you can see it’s not all plain sailing for data processors, even though it’s up to controllers to make sure that these red lines are enforced.