21 August 2020
While former data protection laws, such as the European Data Protection Directive 95/46/EC (the “Directive”), mostly addressed data controllers, the General Data Protection Regulation (“GDPR”) imposes several obligations upon data processors. Before its entry into force in 2018, the controller was entrusted with ensuring compliance when employing processors via contractual agreements; the GDPR’s approach is different: Although processors are still bound by the controllers’ instructions, the GDPR allocates responsibilities between the parties by assigning processors an active role and introducing direct statutory obligations as well as significant fines of up to 4% of the global annual turnover of the processors.
Companies acting as data processors within the scope of the GDPR, should assess their legal role and ascertain that they have implemented GDPR standards.
The GDPR stipulates several requirements regarding a processor’s organization, such as:
Implementation of Technical and Organizational Security Measures, Art. 28 Sec. 1, 3, Art. 32 GDPR
The Directive relied on the controller to contractually require the processor to secure the personal data processed on its behalf. The GDPR obliges every processor to implement appropriate and reasonable state of the art technical and organizational measures. Processors therefore have to comply with the same security requirements as controllers, including
Support of the controller in conducting Data Protection Impact Assessments, Art. 28 Sec. 3 phrase 1 lit. f, 35 GDPR
Where a data processing activity is likely to result in a high risk to the rights and freedoms of natural persons, controllers shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations (Art. 35 GDPR). Processors are not obliged to conduct Data Protection Impact Assessments themselves but have to support the controller in doing so.
Records of processing activities, Art. 30 GDPR
Under the GDPR, most processors have to increase their accountability activities by maintaining records of their data processing activities, which must be made available to supervisory authorities on request. While similar to the records kept by controllers, they are less comprehensive, containing in particular the following information:
Processors have to notify the controller on behalf of which they are processing data without undue delay after becoming aware of a personal data breach (any accidental or unlawful destruction, loss, alteration, unauthorizsed disclosure of, or access to, personal data). Often, more specific timelines will be specified in the contract between the controller and the processor.
Data Protection Officer, Art. 37 GDPR
Processors under the GDPR have to designate an independent, reliable and knowledgeable data protection officer under the same conditions as controllers, meaning they are obliged to do so if their core activities consist of
A group of undertakings may appoint a single data protection officer provided that such data protection officer is easily accessible from each establishment. Thus, one global data protection officer steering data protection EU-wide may prove helpful in order to cope with differing EU-wide regulations. Please note that national laws may require the implementation of data protection officers in additional cases (which is e.g. the case in Germany).
Notification regarding the infringement of data protection obligations
If a processor believes a controller’s instruction infringes data protection obligations, it must inform the controller immediately (Art. 28 Sec. 3 phrase 2 lit. h GDPR). However, the processor is not obliged to verify the material lawfulness of the obligation, but only needs to inform the controller if doubts arise during its processing activities.
Safeguards for third country data transfers, Art. 44 GDPR
Whereas the Directive emphasized the controller’s obligation to ensure the lawfulness of third country data transfers, the GDPR places the obligation to create sufficient safeguards for such transfers on both the controller and the processor (Art. 44 GDPR). Therefore, processors must ensure that any data transfer outside the EEA is covered by sufficient safeguards under Art. 44 et seq. GDPR (such as Standard Contractual Clauses, EU-U.S. Privacy Shield certification, etc.).
The GDPR stipulates several requirements regarding a processor’s organization, such as:
Under the Directive, data processing agreements between controllers and processors have been mandatory, but the contract often included only very basic obligations. Under the GDPR, the relationship between controller and processor needs to be regulated in detail (see Art. 28 GDPR), including with respect to the following obligations of the processor:
Within the scope of the GDPR, the concept of processor and controller is crucial as the GDPR attaches different responsibilities and obligations to each role. This being said, in order to determine whether you are a processor or controller, a case-by-case analysis is required as this is always a question of fact. The following provides guidance plus a bundle of indicators and examples for the individual assessment. Please note that the following summary cannot be exhaustive and only intends to illustrate the basic criteria for the distinction of both roles. In case of doubt, please contact your data protection officer or legal department.
Remark: Please note that usually it is preferable that you transfer personal data only to processors. The reason being that controllership ensures that personal data is only processed according to your instructions. Also, a data transfer from controller to processor does not require an independent legal basis. Rather, it suffices that you implement a data processor agreement that ensures the processor only acts on behalf of the controller. A template for such a processor agreement is available in the legal department. In case of a transfer from controller to controller, on the other hand, you need a legal basis for the transfer, i.e. either it is permitted by law or you have data subject consent.
According to Art. 4 No. 7 GDPR ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with other, determines the purposes and means of the processing of personal data.
Processor
According to Art. 4 No. 8 GDPR ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The legal form (natural person, entity) of the controller is irrelevant.
Processor
The legal form (natural person, entity) of the processor is irrelevant. However, a processor would always be someone outside the organization of the controller. When we say ‘organization’ we mean the legal entity. I.e. any disclosure of data to another group company would also require either a controller-processor relationship or a legal basis for such data transfer.
The following criteria can help you to identify controllership:
Processor
The following criteria can help to identify a processor:
This could include decision making power on the following aspects:
A controller-to-controller transfer, for example would be:
A ‘joint controllership’ requires that the controllers jointly decide on the purposes and means of the processing. This could be the case if legal entities share the same pool of data in a central database.
Processor
Please click here to download the article as pdf file.
by multiple authors
by Wiebke Reuter, LL.M. (London) and Dr. Paul Voigt, Lic. en Derecho, CIPP/E