Processors are governed by the General Data Protection Regulation if
- they are established in an EU Member State
- they are not established in an EU Member State but their personal data processing activities relate to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour within the EU.
The General Data Protection Regulation imposes direct obligations on processors. Processors must assist and advise controllers with regard to compliance with certain obligations specified in the General Data Protection Regulation. These obligations include data protection impact assessments, notifications of personal data breaches, information security, the destruction of data and contributing to audits.
Processors also have a responsibility to provide sufficient guarantees to implement appropriate technical and organisational measures. Technical and organisational measures refer to, for example, instructions given to staff to ensure data protection, internal checks on use, the security of information systems, data encryption and other security measures. Processing operations must comply with the requirements laid down in the General Data Protection Regulation for the protection of data subjects’ rights.
Accountability under the General Data Protection Regulation also affects the relationship between processors and controllers. Controllers must be able to demonstrate the implementation of data processing principles in an effective manner also in so far as a processor processes personal data on their behalf.