Consulting and Training Safety, Occupational Medicine, Management Systems, Quality, Privacy, Environment and Organizational Models

Privacy: Who is the Data Processor?

With the entry into force of the European Regulation on the protection of personal data No. 679/2016 (GDPR), the two main roles in privacy regulation have been defined in greater detail: the Data Controller and the Data Processor.

The Data Controller is the entity that processes personal data without receiving instructions from others, as they determine the “why” and “how” of processing the collected personal data. In contrast, the Data Processor is an external entity to the organization and acts as the extended arm of the Data Controller. The Processor has no autonomy in deciding the “why” and “how” of data processing and operates strictly within the instructions provided by the Controller.

According to current legislation, the Data Processor is defined as:

“a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller” (GDPR, Article 4, paragraph 1, No. 8).

Also referred to as the Data Processor, this role requires qualified expertise, specific reliability, and adequate resources to fulfill the obligations associated with the role.

The two fundamental requirements for qualifying as a Data Processor are:

  1. Being distinct from the Data Controller.
  2. Processing data on behalf of the Data Controller.

Appointment of the Data Processor

Since the Data Processor acts on behalf of the Controller, their appointment must occur through a contract or other legally binding act. This document must adhere to the requirements of Article 28 of the GDPR, be in writing (including electronic format), and specify:

  • The object of the processing.
  • The duration of the processing, with exact timeframes or criteria for determination.
  • The nature and methods of processing.
  • The type of personal data processed, detailed as much as possible.
  • The purpose of the processing.
  • The categories of data subjects involved.
  • Whether the Processor may use sub-processors, and if so, their accountability.
  • The obligations and rights of the Controller.

Acting “on behalf of” the Controller means that the Processor cannot process data for their purposes. Per Article 28, paragraph 10, a Data Processor violates the GDPR if they process data beyond the Controller’s instructions or define their purposes and means for processing.

The contract under Article 28 is critical because the role of Data Processor does not depend solely on the entity’s characteristics but also on the specific activities they perform in a defined context.

Requirements for the Data Processor

Under the GDPR, the Processor must provide sufficient guarantees to implement appropriate technical and organizational measures, particularly regarding data security, to protect the rights of data subjects.

Evaluating these guarantees involves a risk assessment by the Controller, considering:

  • The nature of the processing.
  • The context and scope of the operations.
  • The intended purposes and associated risks to individuals’ rights and freedoms.

For example, adherence to a code of conduct or an approved certification mechanism may demonstrate these guarantees.

Responsibilities of the Data Processor

Under the contract required by Article 28 GDPR, the Data Processor is obligated to:

  1. Process data only under the Controller’s instructions, demonstrating compliance with the agreed-upon methods and legal standards.
  2. Maintain a record of processing activities as a Processor.
  3. Ensure the confidentiality of data by training employees and enforcing confidentiality agreements.
  4. Implement adequate security measures to protect data against risks, as outlined in Article 32 GDPR. This includes:
    • Pseudonymization and encryption of data.
    • Timely restoration of access in case of technical issues.
  5. Manage the relationship with sub-processors under similar contractual terms, ensuring compliance with the same obligations.

Although the responsibility for responding to data subject requests lies primarily with the Controller, the Processor must:

  • Assist the Controller with adequate technical and organizational measures.
  • Forward any data subject requests to the Controller promptly.

Processors are also responsible for:

  • Reporting personal data breaches to the supervisory authority without undue delay.
  • Assisting the Controller in conducting Data Protection Impact Assessments (DPIAs) and consultations with the authority if high risks are identified.

Liability for Violations

Article 82, paragraph 1 of the GDPR, establishes that data subjects who suffer damage due to GDPR violations have the right to compensation for both material and non-material damages.

A Data Processor is liable for damages caused by processing only if:

  1. They fail to comply with their specific obligations under the GDPR.
  2. They act contrary to or outside the instructions provided by the Controller.

However, both the Controller and Processor are exempt from liability if they can prove the damage was not their fault. This requires demonstrating:

  • The harm was caused by an external factor beyond their control.
  • They implemented all foreseeable and adequate measures to prevent the damage.

This reversal of the burden of proof emphasizes the importance of adherence to GDPR principles and robust organizational measures.