Personal Data Processor according to the GDPR
The company that according to the GDPR is the Personal Data Processor, must process personal data belonging to EU citizens correctly. The processing must take place in accordance with the Controllers instructions.
What is a Personal Data Processor?
The party who processes personal data on behalf of a personal data controller is the Personal Data Processor according to the GDPR. A Personal Data Processor is always outside of the Controller’s own organization. For example, it may be a natural or legal person, public authority, institution or other body.
The Controller, a company for instance, can hire a Personal Data Processor, for the processing of personal data on behalf of the company. For example, it is common for an accounting consultant, e-mail provider, hosting provider, cloud storage site to act as a Personal Data Processor. This is because the company shares personal data for which they are responsible for, to such service provider. The service provider then processes the personal data on behalf of the company.
In such cases, the Controller must provide written instructions to the Processor as to how the processing may proceed. According to the GDPR, the Personal Data Processor is obliged to follow the instructions. And it also has various rights and obligations under the regulation.
The Personal Data Processors used by the Controller must be able to provide sufficient guarantees that the processing meets the requirements of the GDPR. And also that they ensure that the data subject’s rights are protected in accordance with the GDPR.
Article 28 of the GDPR
Personal Data Processor and its personnel may only process personal data in accordance with the written instructions from the Controller. Such instructions shall be provided in connection with the parties entering into a Data Processing Agreement. According to the GDPR, the parties must enter into such an agreement with each other before the processing may begin. For instance, the processing of personal data on behalf of the Controller. The GDPR contains clear instructions and requirements regarding what such an Agreement must contain. These can be read in article 28 of the GDPR.
For example, the Processor may not hire his own Sub-Processors without prior written permission from the Controller.
Here is more information about the Data Processing Agreement.
A novelty in the GDPR is that some of the obligations that previously applied to the Controller now also apply to the Processor.
For example, the requirements to keep records of processing activites, to ensure an appropriate level of security and, in some cases, to appoint a data protection officer.
The Controller is the one who is responsible if a Personal Data Processor processes the personal data in violation of the GDPR. However, a Processor may also be subject to supervision by the Supervisory Authority or to administrative penalty fees and be liable for damages.
News about GDPR and reviews from supervisory authorities
In addition to this information, you can also read our GDPR summary. And also about various news about the GDPR on this website. For example, audits carried out by Supervisory Authorities and sanction fees that they distribute. By learning from mistakes from others, it is possible to avoid making similar mistakes yourself. In addition, you can find information that is important and good to know as an entrepreneur as well as guides.
Summary of the GDPR for Companies, Entrepreneurs and Businesses
There is a lot of information about the GDPR that is important for companies, entrepreneurs and businesses to know about. We have therefore written a GDPR Summary and mention various key elements. Therefore, we are able to provide an overview of the GDPR, what it means and what companies must do to comply with the EU regulation.