< Back

Share |

Data processor obligations under the GDPR

May 2017

A high level summary of GDPR requirements on data processors.

Article Summary Recitals
4(8) Definition of "processor".  

Rights of data subjects

Article Summary Recitals
15, 16, 18, 21 Processor may be called to assist controller in fulfilling its obligations to respond to requests from data subjects under Chapter III (see Art. 28(3) below).  

Controller and Processor

Article Summary Recitals
27(1),(2),(3) Processor not established in the EU to designate in writing a representative established in one of the Member States where data subjects being monitored are based unless processing is occasional or the controller is a public authority or body. 80
28(1),(5) Processor to provide sufficient guarantees to controller to implement appropriate technical and organisational measures (see also Art. 32). 81
28(2),(4) Processor shall not engage with another processor without prior written authorisation from the controller. Controller shall have a right to object to any changes regarding sub-processors. The sub-processor will be subject to the same contractual data protection obligations as between the first processor and controller as specified in Art. 28(3) (below).

Initial processor liable to the controller for performance of sub-processor's obligations.
81
28(3),(6),(9) Processor to enter into written contract with controller to include points in (a) – (h). (e.g. processor only to act on documented instructions from controller when processing personal data, controller to determine if processor deletes or returns data at end of the services, etc.). The contract may take the form of standard contractual clauses referred to in Art. 28(7),(8). 81
29 Processor shall not process personal data except on instructions from the controller. 81
30(2),(3),(4) Processor (and representatives) to maintain written records of processing activities, which must contain the information specified in (2)(a)-(d) (e.g. categories of processing carried out on behalf of each controller, etc.), and must be made available to the supervisory authorities on request, subject to Art.30(5) (below). 82
30(5) Art.30(2) does not apply if fewer than 250 persons employed (unless risk to rights and freedoms of data subjects, or special categories of data (Art.9(1)) processed).  
31 Processor (and representatives) to cooperate with supervisory authorities.  
32(1) Processor to implement appropriate technical and organisational measures to ensure appropriate security of processing, including: pseudonymisation/encryption, maintaining confidentiality, restoration of access following physical/technical incidents and regular testing of measures. 83
32(4) Processor to ensure any natural person acting under their authority does not process data except on the controller's instructions.  
33(2) Processor to inform controller without undue delay after becoming aware of any personal data breach. 85-88
37(1),(7) Processor to designate a DPO where obligatory under Art.37(1), publish the DPO's contact details and communicate them to the supervisory body. 97
38 Processor to ensure DPO is involved in all issues relating to the protection of personal data, supports and provides the necessary resources for the performance of DPO tasks and ensures DPO tasks and duties do not cause a conflict of interest. 97

International Transfers

Article Summary Recitals
44 Processor to comply with conditions laid down in Chapter V of GDPR to ensure personal data is adequately protected when transferred to a third country, including: 101-102
  Art.45: transfers on the basis of an adequacy decision; 103-107
  Art.46: transfers subject to appropriate safeguards where no adequacy decision (e.g. BCRs, model clauses, approved code of conduct, certification mechanisms); 108-109
  Art.47: where a group of undertakings, use approved binding corporate rules for international transfers as approved by the supervisory authority; 110
  Art.49: Where no adequacy decision/safeguard/BCRs, ensure third country data transfers only take place where conditions of Art.49(1)(a)-(g) are fulfilled (e.g. express consent). 111-115

Remedies, liabilities and penalties

Article Summary Recitals
82(2),(3),(4) Any processer involved in processing shall be liable for the damage caused by non-compliant processing but exempt if it proves it is not in any way responsible for the event giving rise to the damage. Where processor(s) and controller(s) are jointly involved in the processing, they are each entirely liable for any damage, to ensure effective compensation, subject to any apportionment between the parties. 146-147

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.