Search

Processing on behalf of a controller under the GDPR

Controllers may outsource their processing activities to other entities; however, they may hire only processors who give sufficient guarantees to implement appropriate technical and organizational measures compliant with the GDPR (Art. 28(1) GDPR). The appointment must be documented by a written contract (or other legal act under EU or MS law) that stipulates all of the following obligations of the processor:

  1. data processing only on controller’s documented instructions
  2. ensuring persons authorized for data processing have committed to confidentiality
  3. taking all the required data-security measures Art. 32 GDPR
  4. respecting the conditions on engaging other sub-processors
  5. assisting the controller with fulfilling its obligation to respond to requests for exercising data subjects’ rights by appropriate technical and organizational measures
  6. assisting the controller in ensuring compliance with the obligations on data security, breach notification to the supervisory authority, breach communication to the data subject, data protection impact assessment and prior supervisory authority consultation (see Articles 3236 GDPR)
  7. deleting/returning (at the choice of the controller) all the personal data to the controller after the service has been provided and deleting existing copies (unless the EU/MS law provides otherwise)
  8. making available to the controller all information necessary to demonstrate compliance with the abovementioned obligations and allowing for and contributing to audits, including inspections

A processor is also obliged to immediately inform the controller if the processor finds the controller’s instructions non-compliant with data protection laws.

A processor is allowed to further appoint another processor (sub-processor) only if the controller has authorized it in writing. In case of a general written authorization, the processor has a duty to inform the controller on the changes in that matter, so the controller has the opportunity to object to such changes. Further, the appointment of sub-processors must be on the same terms as determined by the DPA between the controller and the processor and Art. 28(1-2) GDPR.

For more information, see our Whitepaper on data processing under the GDPR, available here: https://www.activemind.legal/legal-advice/whitepaper-data-processing/

activeMind.legal Rechtsanwaltsgesellschaft is a law firm specialising in data protection law. With our partner firms in the UK and Switzerland, we cover all aspects of GDPR compliance and national data protection law in Europe.

Munich

activeMind.legal
Rechtsanwaltsgesellschaft m. b. H
Potsdamer Straße 3
80802 Munich, Germany

+49 (0) 89 / 919 29 49 00

Berlin

activeMind.legal
Rechtsanwaltsgesellschaft m. b. H
Kurfürstendamm 56
10707 Berlin, Germany

+49 (0) 30 / 770 19 10 70

Services

Resources

About

Group

© 2016-2024 activeMind.legal

powered by rethink digital & KLEINWERKSTATT

Contact us!

+49 (0)89 / 91 92 94 – 900

Full details of how we handle your data can be found in our privacy policy.

Secure the knowledge of our experts!

Subscribe to our free newsletter:

By clicking on "Subscribe now" you consent to receive our newsletter. We will only use your data in accordance with our privacy policy.