Use of data processors

The selection and use of processors is subject to a high duty of care by controllers which will require tender documents and procurement processes to be regularly reviewed.  Written contracts must be put in place (based in part or in full on standard contractual clauses) which sets out:

• the subject matter of the processing
• duration of processing
• nature and purpose of processing
• type of personal data
• categories of data subjects
• obligations and rights of the controller

The contract must stipulate in particular that the processor shall:

• only process personal data on the instructions of the controller
• ensure that persons authorised to process the personal data are bound by confidentiality
• take all measures to comply with the security of processing
• assist the controller in fulfilling its obligation to comply with data subjects' rights
• assist the controller to comply with its obligations in respect of
  • security of processing
  • notification of data breaches to supervisory authority and individuals
  • data protection impact assessments
  • prior consultation with the supervisory authority
• return or delete all personal data at the choice of the controller at the end of the contract
• make all the information necessary to demonstrate compliance available
• allow for and contribute towards audits
• immediately inform the controller if, in his opinion, an instruction breaches the Applied GDPR

Controllers must, therefore, only select a processor that provides sufficient guarantees to implement appropriate technical and organisational measures to ensure the processing complies with the Applied GDPR.

Processors which go beyond the terms of any contract will be a controller and Article 28(10) of the Applied GDPR specifically states that"if a processor infringes this Regulation by determining the purposes and means of data processing, the processor shall be considered to be a controller in respect of that processing."

See: Articles 28 and Recital 81 of the Applied GDPR