A company that processes personal data does not need to carry out all of its processing activities on its own. Thus, data controllers may commission a processor to perform some specific processing actions on its behalf. In such cases, the General Data Protection Regulation (GDPR) requires the controller and the processor to conclude a contract to determine the conditions and obligations that both parties need to meet.
Data processing and sub-processing
The GDPR defines a “processor” as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4(8) GDPR). It is common practice for any company to engage contractors to carry out explicitly determined processing activities, often to take advantage of a processor’s expertise or experience in a particular type of processing operation.
An example of data processing is when a company or organisation uses a cloud service to store and analyse its data. In such cases, the company remains the controller of the data and the cloud service provider processes the data only “upon instructions of the controller”, as stated in Art. 29 GDPR.
“Sub-processing” takes place if a processor uses the services of another processor to assist with the processing it is carrying out on behalf of the controller. Before a processor may employ a sub-processor, it must inform the controller and obtain its prior specific or general written authorisation for doing so.
Obligations of the controller
According to Art. 28 GDPR, the controller is obliged to choose a processor that can guarantee a high level of data protection. An appropriate processor must be able to provide for “sufficient guarantees” to implement appropriate technical and organisational measures that meet the requirements of the GDPR and safeguard the rights of data subjects. Before choosing a suitable processor, the controller must assess whether or not these sufficient guarantees can be fulfilled and ascertain whether the processor is continuously maintaining the data protection measures. Sufficient guarantees include, for instance, that the processor:
- has adequate technical expertise to carry out obligations, such as to assist the controller in conducting data protection impact assessments, and
- can provide the controller with all relevant documentation, such as privacy policies, record management policy, etc.
Obligations of the processor
As the processor acts on behalf of the controller, it may act only on the controller’s documented instructions. It is not possible for the contracted company to use client data for its own purposes. The processor can be held liable if it fails to perform its duties and can face a fine of up to EUR 10 million or 2% of its total worldwide annual turnover.
A processor can also be held liable under Art. 82 GDPR to pay compensation for any damage caused by processing. However, a processor will only be responsible for the damage if it has failed to comply with GDPR provisions explicitly relating to processors, such as acting without the controller’s lawful instructions or against those instructions. A processor will not be liable if it can prove it is not responsible for the event resulting in the damage.
Data processing agreement (DPA)
If a controller wishes to employ a processor, they must conclude a contract pursuant to Art. 28(3) GDPR, which determines the conditions of the processing. Similarly, every time a processor uses a sub-processor, there must be a written agreement between both parties, which must set out the same data protection obligations as in the contract between the controller and processor.
The GDPR explicitly lists the content requirements that must be included in the agreement between the controller and processor. Accordingly, the DPA defines:
- the subject matter,
- the duration of the processing,
- the type of personal data,
- the categories of data subjects involved, and
- the obligations and rights of the controller.
Furthermore, the processor is subjected to several obligations that must be envisaged in the DPA:
- Processors may only act on documented instructions from the controller.
- Processors are obliged to implement appropriate technical and organisational measures, as agreed by the parties in the DPA, to ensure that the requirements of the GDPR are fulfilled and the rights of the data subject are protected.
- Processors must assist the controller in the fulfilment of several of its obligations, such as to respond to data subject’s requests exercising their rights under the GDPR, to assist the controller in ensuring compliance with its data breach obligations and to carry out preventive Data Protection Impact Assessments (IA).
- After the services for the controller under the DPA have ended, the processor is compelled to delete or return all personal data.
- Processors must be bound to provide the controller with any information necessary to demonstrate compliance as well as contribute to and allow for audits and inspections.
Data Processors located in Third Countries
Any data transfer to processors established in countries outside the EU/EEA or countries not recognised by the European Commission as having an adequate level of data protection is subject to additional safeguards. According to Art. 46 GDPR, controllers may only engage with processors located outside the EU if the safeguards for transfers provide an appropriate level of data protection similar to the one under the GDPR.
The Court of Justice of the European Union (CJEU) decided in the Schrems II judgement in July 2020 that the EU-U.S. Privacy Shield is no longer valid, which also affects DPAs with processors located in the U.S. that previously based personal data transfers on the Privacy Shield. Accordingly, alternatives to guarantee an appropriate level of data protection according to Art. 46 GDPR may include Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). The European Data Protection Board (EDPB) published guidelines for the appropriate steps controllers must take if they wish to continuously commission processors based outside the EU/EEA.
Practical steps to follow for GDPR-compliance
If your organisation wishes to commission a processor to carry out specific processing activities on your behalf, both parties must conclude a data processing agreement.
The data processing agreement between the parties must contain information about the subject matter, the duration of the processing, the type of personal data, the categories of data subjects involved and the obligations and rights of the controller.
The controller is responsible for choosing a processor that can guarantee the appropriate level of data protection and fulfil its obligations in the context of technical and organisational measures, to assist the controller, in particular in responding to data subject’s requests, and to cooperate with supervisory authorities.
If you engage with a processor from outside the EU, you have to make sure it complies with the transfer provisions of the GDPR. If your international data transfers were previously based on the EU-U.S. Privacy Shield, the controller must ensure that alternative safeguards, such as SCCs or BCRs, are in place to guarantee an appropriate level of data protection.
