The processor has already been mentioned sideways in these GDPR-series on a regular basis, but didn’t get our specific attention yet. This part of our GDPR-series will therefore provide an insight into the changes that are taking place for the processor under the General Data Protection Regulations (‘GDPR’).
The processor is the party that processes personal data on the instructions of the controller. Processing has a very broad definition. Processing occurs, for example, when personal data are stored or retrieved, but also when personal data are collected, modified, consulted, protected or deleted.
Examples of organizations that fulfil the role of processor are software suppliers, website hosts and administration offices.
Under the GDPR, the processor will be subject to direct legal obligations. We will discuss a number of explicit obligations below.
Data Processing Agreement
Under the GDPR, both the processor and the controller are explicitly obliged to enter into a Data Processing Agreement. The subjects to be included in such a Data Processing Agreement can be found here.
The GDPR explicitly states that the processor may only engage another processor with the prior consent of the controller. This permission can be given in general or specific. If the consent is only given generally and in writing, for example in a Data Processing Agreement, the controller must be informed of an intended engagement or replacement of a sub-processor and the controller must be able to object to this.
Where the controller has given such consent, the processor should impose on the sub-processor the same obligations for the processing of personal data as those imposed on the processor himself. This can be done by means of a sub-processor agreement. The processor is fully liable towards the data controller for the failure of the sub-processor to fulfil its obligations.
Under the old Dutch Privacy rules ( hereinafter called: ‘Wbp’), the data controller is obliged to take appropriate technical and organizational security measures. As of 25 May 2018, the processor is also directly obliged to do so by virtue of the text of the law. Under the GDPR, the processor is also directly liable for any damage that may arise as a result of an inadequate level of security. You can read more about the security of personal data here.
Duty to report data leaks
The GDPR explicitly includes the direct obligation for the processor to report a data breach to the controller. The processor must inform the controller without unreasonable delay after the discovery of a data breach, so that the controller can in turn comply with the obligation to report the data breach in good time to the controller and, under certain circumstances, to the data subject(s). You can read more about the obligation to report data breaches here.
Under the GDPR, both the processor and the controller are obliged to keep a register of processing activities. The processor’s processing register must contain fewer categories of information than the controller’s register. Here you can read more about the processing register and the information that the processor must include in it.
Data Protection Officer
Under the GDPR, the processor is obliged in certain circumstances to appoint a Data Protection Officer (DPO) to oversee the application of and compliance with the GDPR within the organization. You can read more about the DPO and the circumstances in which the appointment of an DPO is mandatory here.
The GDPR includes an explicit obligation for both the processor and the controller to cooperate with the regulator in the performance of its tasks if requested to do so.
Pursuant to the GDPR, the processor also has the obligation to provide assistance to the controller in fulfilling its obligations, such as responding to requests from data subjects or carrying out a Data Protection Impact Assessment (or having it carried out). The processor must also enable and contribute to audits. These obligations must also be laid down in a Data Processing Agreement.
Liability and penalties
Finally, under the GDPR there will be an increase in liability and a change in the level of fines. If the processor and the data controller are involved in the same processing that is in breach of the GDPR, they can each be held liable for the entire damage resulting therefrom. The party that has compensated the entire damage can then recover (part of) the damage from the other party(ies).
In addition, the processor may be fined directly with an amount of up to € 10 million or 2% of the total worldwide annual turnover in the case of a company for failure to comply with the aforementioned independent obligations.