What is a Data Processor under GDPR?
A data processor under the European Union General Data Protection Regulation (GDPR) is any natural or legal person, public authority, agency or other body which processes data on behalf of the controller. The definition comes out of GDPR Article 4(8), but there is much else to learn about the role and responsibilities of the data processor throughout the GDPR.
The data processor works under the instructions of the data controller. Article 29 specifically prohibits a processor from processing data unless instructed to do so by a data controller. According to Article 4(7), a controller is a natural person or organization that, either alone or jointly with others, determines the purposes and means of the processing of personal data. The controller typically contracts with one or more third-party data processors to perform specific processing on the personal data within its possession or control.
A data processor can also be a controller of personal data. However, a third-party data processor is not the controller with respect to the specific personal data that they are processing based on the controller’s instructions. In other words, a company that acts as a third-party data processor for an organization can also be a controller of personal data that it collects itself separate and apart from what it receives from the organization using its data processing services. If two companies are instead jointly making decisions with respect to the processing of personal data, then they may be considered joint controllers under Article 26 instead of one being the controller and the other being the processor.
In order for a data controller to have a processor engage in lawful personal data processing, the processing must be governed by a contract or other legal act. The agreement must meet certain enumerated requirements, including setting forth the subject matter and duration of the processing, its nature and purpose, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
Data processors are also required by the GDPR to engage in certain other activities in order to protect personal data. These other tasks include implementing appropriate technical and organizational measures to ensure an appropriate level of security (under Article 32). It is also obligated to assist the controller in the execution of data protection impact assessments and the fulfillment of data subject access requests.
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Vendor Risk Management Software
GDPR Vendor Management & Third Party Privacy Risk Assessment
Risk and Control Self Assessment Framework for Privacy
Vendor Audit Process
Service Providers and the CCPA Right to Opt Out
GDPR Data Processing Agreement under Article 28
Differences between a GDPR Data Controller vs. Data Processor