Controllers may outsource their processing activities to other entities; however, they may hire only processors who give sufficient guarantees to implement appropriate technical and organizational measures compliant with the GDPR (Art. 28(1) GDPR). The appointment must be documented by a written contract (or other legal act under EU or MS law) that stipulates all of the following obligations of the processor:
- data processing only on controller’s documented instructions
- ensuring persons authorized for data processing have committed to confidentiality
- taking all the required data-security measures Art. 32 GDPR
- respecting the conditions on engaging other sub-processors
- assisting the controller with fulfilling its obligation to respond to requests for exercising data subjects’ rights by appropriate technical and organizational measures
- assisting the controller in ensuring compliance with the obligations on data security, breach notification to the supervisory authority, breach communication to the data subject, data protection impact assessment and prior supervisory authority consultation (see Articles 32–36 GDPR)
- deleting/returning (at the choice of the controller) all the personal data to the controller after the service has been provided and deleting existing copies (unless the EU/MS law provides otherwise)
- making available to the controller all information necessary to demonstrate compliance with the abovementioned obligations and allowing for and contributing to audits, including inspections
A processor is also obliged to immediately inform the controller if the processor finds the controller’s instructions non-compliant with data protection laws.
A processor is allowed to further appoint another processor (sub-processor) only if the controller has authorized it in writing. In case of a general written authorization, the processor has a duty to inform the controller on the changes in that matter, so the controller has the opportunity to object to such changes. Further, the appointment of sub-processors must be on the same terms as determined by the DPA between the controller and the processor and Art. 28(1-2) GDPR.
For more information, see our Whitepaper on data processing under the GDPR, available here: https://www.activemind.legal/legal-advice/whitepaper-data-processing/