Processors’ responsibilities

Processors have a duty to

• Draw up a contract or other legal act with the controller, laying down each party’s responsibilities and covering the contents of Article 28 of the General Data Protection Regulation.
• Draw up a written list of the controller’s personal data processing instructions. Processors can use this documentation to demonstrate their compliance with the controller’s instructions.
• Request written authorisation from the controller for engaging other processors to process the controller’s personal data.
• Supply the controller with all the information needed for demonstrating compliance with its obligations and for performing audits.
• If necessary, draw up a record of processing activities.

Processors have a duty to provide controllers with sufficient guarantees of the personal data processing carried out on their behalf satisfying the requirements of the General Data Protection Regulation and of having ensured that data subjects’ rights are protected. This means, in particular, that

• the tools, products applications or services provided to controllers are designed to implement data protection principles
• the tools, products, applications or services ensure that, by default, only personal data that are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

The principles of data protection by design and by default can be implemented, for example, by the following means:

• The controller can be given an opportunity to specify the data to be collected so that collecting optional data is not compulsory for technical reasons (e.g. fields in an electronic form).
• The data can be minimised: only data that are necessary for the processing operation are collected.
• Data are removed automatically and selectively at certain intervals.
• Access to data and removal of data are determined by category of data or upon data subjects’ request (e.g. in social media services).

Processors have a duty to ensure that any employees of theirs who are authorised to process personal data are under an obligation of confidentiality.

Processors need to take all available steps to ensure a level of information security that corresponds to the risks involved in the processing of personal data. In the event of a personal data breach, processors need to notify the controller without delay. Read more about risk assessment and data protection planning

At the end of the provision of their services, processors must, at the choice of the controller,

• delete all the data or return them to the controller
• delete all copies of the data, unless they have a legal obligation to keep them.

Processors who find that a controller’s instructions infringe data protection rules must immediately inform the controller in question.

Processors have a duty to assist controllers in responding to data subjects’ requests for exercising their rights where possible. Read more about rights of the data subject

Processors also have a duty to assist controllers in ensuring compliance with their obligations concerning the security of processing, personal data breach notifications and data protection impact assessments in so far as is made possible by the information available.

Data protection officers are responsible for monitoring compliance with the General Data Protection Regulation and other data protection laws within the organisation that designates them.

Processors need to designate a data protection officer if

• the processing is carried out by a public authority or body
• the core activities of the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale on behalf of a controller, or
• the core activities of the processor consist of processing on a large scale of special categories of data (such as data concerning health or revealing ethnic origin, political opinions, religious beliefs or sexual orientation) and personal data relating to criminal convictions and offences.

Designating a data protection officer is often useful even if one is not required by law, as it gives processors access to an expert who takes care of monitoring and managing compliance with the requirements laid down in the General Data Protection Regulation and other data protection laws in practice. Data protection officers’ duties and position are governed by the relevant provisions of the General Data Protection Regulation even in the case of voluntary designations.

The contract or other legal act governing a processor’s processing operations must set out

• the subject matter and duration of the processing on behalf of the controller
• the nature and purpose of the processing
• the type of personal data to be processed on behalf of the controller and categories of data subjects
• the obligations and rights of the controller.

The contract or legal act must also stipulate, in particular, that the processor

• processes the personal data only on documented instructions from the controller
• ensures that persons authorised to process the personal data are under an obligation of confidentiality
• takes all measures required for ensuring the security of processing
• respects the conditions for engaging another processor
• assists the controller by appropriate technical and organisational measures in responding to data subjects’ requests for exercising their rights where possible
• assists the controller in ensuring compliance with the obligations relating to the security of personal data as well as data protection impact assessments and prior consultations
• at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes any copies unless there is a legal obligation to keep them
• makes available to the controller all information necessary to demonstrate compliance with the obligations concerning processors
• allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

A record of processing activities is required from organisations employing more than 250 people.

In such cases, the record must cover all processing activities.

A record of processing activities is required regardless of the number of employees if

• the processing of personal data is likely to result in a risk to the rights and freedoms of data subjects, or
• the processing of personal data is not occasional, or
• the processing includes special categories of data or personal data relating to criminal convictions and offences.

In such cases, the record only needs to cover the processing activities that belong to the aforementioned categories. For example, even small businesses regularly process their own employees’ personal data. In such cases, the processing is not occasional, and the processing operations in question need to be included in the record of processing activities. Occasional processing of personal data does not need to be included in the record of processing activities unless there are other grounds for including it, such as a likely risk to the rights and freedoms of data subjects or the involvement of special categories of personal data.

Read more: Processor’s record of processing activities

Processors can only engage other processors (subprocessors) with the controller’s written authorisation. Depending on the parties’ requirements, such authorisation can be either

• specific to one processor, or
• general, in which case the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Processors and their subprocessors need to agree on the same obligations as set out in the contract between the processor and the controller also applying to the subprocessor. The contract must ensure, in particular, the provision of sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements laid down in the General Data Protection Regulation.

If a subprocessor fails to meet its data protection obligations, the initial processor will remain fully liable to the controller for the performance of its subprocessor’s obligations.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processors have a duty to notify the controller without undue delay after becoming aware of a personal data breach.

The controller must use the notification to report the personal data breach to the competent supervisory authority and to communicate it to the data subjects, if its impact assessment shows notification to be necessary under the General Data Protection Regulation.

Processors can report personal data breaches to the supervisory authority and notify the data subjects on behalf of the controller if this has been clearly agreed in the contract between the processor and the controller. However, the responsibility for making the notification remains with the controller.

Controllers have a duty to carry out a data protection impact assessment in order to evaluate the impacts of the envisaged processing on the security of personal data in some circumstances. Carrying out an impact assessment is not the responsibility of processors.

However, processors do have a duty to assist controllers in carrying out impact assessments and to provide controllers with all the information they need for the assessments. The scope of this assistance should be set out in the contract between the processor and the controller.

Processors with establishments in multiple Member States can take advantage of the one-stop-shop mechanism laid down in the General Data Protection Regulation.

It allows organisations that carry out cross-border processing to report to a single national supervisory authority, which coordinates the supervision of personal data processing. This authority is called the lead supervisory authority.

The lead supervisory authority is the competent supervisory authority of the processor’s main establishment. A processor’s main establishment is the place of its central administration in the Union. If a processor’s main establishment is not located in an EU Member State, its main establishment is considered to be the Member State in which most of the processing of personal data takes place.

The provisions of the General Data Protection Regulation apply to processors established outside the EU if

• they process personal data concerning data subjects in the Union on behalf of their client, or
• they offer goods or services to data subjects in the Union on behalf of a controller or monitor their behaviour within the Union.

In such cases, processors usually need to appoint, in writing, a representative to act as an interlocutor of data subjects and supervisory authorities in the EU for questions relating to such processing.

Individuals who suffer material or non-material damage as a result of an infringement of the General Data Protection Regulation are entitled to compensation from the controller or processor for the damage suffered. In other words, processors can be held liable for damage resulting from the processing of personal data.

Data protection authorities have the power to impose penalties for non-compliances. For example, they can issue reprimands to processors whose processing operations have infringed provisions of the General Data Protection Regulation, order processors to bring their processing operations into compliance with the provisions of the General Data Protection Regulation or impose temporary or definitive bans on processing.

Supervisory authorities can also impose administrative fines on processors, which can, depending on the type of infringement, be as high as EUR 10–20 million or, in the case of undertakings, as much as 2–4% of their total worldwide annual turnover of the preceding financial year, whichever is higher.  Data protection authorities also have other powers. For example, they can issue reprimands to processors whose processing operations have infringed provisions of the General Data Protection Regulation, order processors to bring their processing operations into compliance with the provisions of the General Data Protection Regulation or impose temporary or definitive bans on processing.

Examples of non-compliances include processors

• acting outside or contrary to lawful instructions of the controller
• failing to assist a controller in meeting its obligations (such as reporting personal data breaches)
• failing to provide a controller with the information needed for demonstrating compliance or performing audits
• failing to notify a controller that its instructions infringe the General Data Protection Regulation
• engaging another processor without the controller’s prior authorisation
• engaging a processor that does not meet the criteria laid down in the General Data Protection Regulation
• failing to designate a data protection officer when one is required
• failing to keep a record of processing activities carried out on behalf of a controller.