The General Data Protection Regulation (GDPR) offers a uniform, Europe-wide possibility for so-called ‘commissioned data processing’, which is the gathering, processing or use of personal data by a processor in accordance with the instructions of the controller based on a contract.
The relevant regulations for commissioned data processing already apply, if the processing is connected to activities of an establishment within the EU. This means that it is sufficient if either the controller or the processor operates an establishment in the EU, and the processing takes place in context of its activities. One has to differentiate between processing and joint control (Art. 26 GDPR), where both parties jointly define the purposes and means for the data processing and are thus also jointly responsible for these.
In a controller-processor relationship, the latter is only allowed to process personal data based on the documented instructions from the controller. The processor cannot engage another processor to help fulfil a specific contract, without the prior specific or general written authorisation of the respective controller. In case of a general authorisation, the processor has to inform him about any relevant changes regarding the processing.
In most cases, commissioned data processing proceeds based on a contract. Art. 28(3) GDPR sets forth its minimum requirements. The contract must contain, among other things, what type of personal data will be processed, as well as the object and purpose of the processing. In addition, there are further obligations for the processor. For example, he must also maintain a record of the processing activities which includes the names and contact data of each controller he is working for, as well as the processing categories which are conducted for them. Furthermore, the index must include, if applicable, the transfer of personal data to third countries and, if possible, a general description of technical and organisational measures. The controller must ensure, in selecting the processor, that it has implemented sufficient technical and organisational measures to ensure that processing meets the requirements of the Regulation.
Basically, the controller is the first contact for the data subject and responsible that the data processing complies with the legal requirements. This does not mean, however, that the processor is free of liability. According to Art. 82 GDPR, he is jointly liable with the controller. However, the processor’s liability is limited as per paragraph 2 to violations of obligations which are specific to him. Both parties have the ability to exculpate themselves. To do this, they must prove that they were not responsible in any way for the event leading to the damages.
Suitable GDPR articlesArt. 4 GDPR Definitions Art. 27 GDPR Representatives of controllers or processors not established in the Union Art. 28 GDPR Processor Art. 29 GDPR Processing under the authority of the controller or processor Art. 30 GDPR Records of processing activities Art. 40 GDPR Codes of conduct Art. 42 GDPR Certification Art. 44 GDPR General principle for transfers Art. 45 GDPR Transfers on the basis of an adequacy decision Art. 46 GDPR Transfers subject to appropriate safeguards Art. 47 GDPR Binding corporate rules Art. 82 GDPR Right to compensation and liability
Suitable Recitals(24) Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Profiled (36) Determination of the Main Establishment (80) Designation of a Representative (81) The Use of Processors (82) Record of Processing Activities (98) Preparation of Codes of Conduct by Organisations and Associations (99) Consultation of Stakeholders and Data Subjects in the Development of Codes of Conduct (101) General Principles for International Data Transfers (108) Appropriate Safeguards (109) Standard Data Protection Clauses (146) Indemnity (147) Jurisdiction
- Article 29 Data Protection Working Party ► WP 244 – Guidelines on the Lead Supervisory Authority (Link)
- Article 29 Data Protection Working Party ► WP 169 – Opinion on the concepts of “controller” and “processor” (2010!) (Link)
- European Commission ► Controller/processor (Link)
- Data Protection Authority UK ► Contracts and liabilities between controllers and processors (Link)
- Data Protection Authority Isle of Man ► Processors (Link)
- Data Protection Authority France ► General Data Protection Regulation: a guide to assist processors (Link)
- Data Protection Authority Luxembourg ► Data Protection Basics: The obligations of controllers and processors (Link)
- Data Protection Authority Ireland ► Guidance: A Practical Guide to Data Controller to Data Processor Contracts under GDPR (Link)
- Bitkom ► Template Agreement Annex (Link)
- GDD ► Template – Processing in accordance with Article 28 General Data Protection Regulation (GDPR) (Link)
- IAPP ► Updating your vendor agreements to comply with GDPR (Link)
- IAPP ► What’s wrong with the ICO’s draft guidance on controller-processor contracts? (Link)
- DLA Piper ► Example Data Protection Addendum Addressing Article 28 GDPR (Processor Terms) and Incorporating Standard Contractual Clauses for Controller to Processor Transfers of Personal Data from the EEA to a Third Country (Link)