The General Data Protection Regulation (GDPR) offers a uniform, Europe-wide possibility for so-called ‘commissioned data processing’, which is the gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.
The relevant regulations for commissioned data processing already apply, if the processing is connected to activities of an establishment within the EU. This means that it is sufficient if either the controller or the processor operates an establishment in the EU, and the processing takes place in context of its activities. One has to differentiate between processing and joint control (Art. 26 GDPR), where both parties jointly define the purposes and means for the data processing and are thus also jointly responsible for these.
In a controller-processor relationship, the latter is only allowed to process personal data based on the documented instructions from the controller. The processor cannot engage another processor to help fulfil a specific contract, without the prior specific or general written authorisation of the respective controller. In case of a general authorisation, the processor has to inform him about any relevant changes regarding the processing.
In most cases, commissioned data processing proceeds based on a contract. Art. 28(3) GDPR sets forth its minimum requirements. The contract must contain, among other things, what type of personal data will be processed, as well as the object and purpose of the processing. In addition, there are further obligations for the processor. For example, he must also maintain a record of the processing activities which includes the names and contact data of each controller he is working for, as well as the processing categories which are conducted for them. Furthermore, the index must include, if applicable, the transfer of personal data to third countries and, if possible, a general description of technical and organisational measures. The controller must ensure, in selecting the processor, that it has implemented sufficient technical and organisational measures to ensure that processing meets the requirements of the Regulation.
Basically, the controller is the first contact for the data subject and responsible that the data processing complies with the legal requirements. This does not mean, however, that the processor is free of liability. According to Art. 82 GDPR, he is jointly liable with the controller. However, the processor’s liability is limited as per paragraph 2 to violations of obligations which are specific to him. Both parties have the ability to exculpate themselves. To do this, they must prove that they were not responsible in any way for the event leading to the damages.