Use of data processors

The selection and use of data processors is subject to a high duty of care by controllers which will require tender documents and procurement processes to be regularly reviewed.

For the avoidance of doubt, the GDPR states "if a processor in breach of this Regulation determines the purposes and means of data processing, the processor shall be considered to be a controller in respect of that processing."

Controllers must, therefore, only select a processor that provides sufficient guarantees to implement appropriate technical and organisational measures to ensure the processing complies with the GDPR.

   The processing must be governed by a contract (based in part or in full on standard contractual clauses) which sets out:

  The contract must stipulate in particular that the processor shall:

 See: Articles 28 and Recital 81 of the GDPR