GDPR Series: Part 16 - Processor Obligations

This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.

This issue focuses on the obligations directly imposed by the GDPR on processors. Indeed, processors have a number of new obligations under the GDPR, non-compliance with which may result in the imposition of sanctions.

Direct obligations

1.  Appointment of a representative in the EU

Processors established outside the European Union must appoint a representative in the EU when their processing activities relate to:

the offering of goods or services to EU data subjects, regardless of whether payment by the data subject is required; or

the monitoring of the behaviour within the EU of EU data subjects.

For more information, please refer to the second issue in this series on the main players under the GDPR.

2.  Conclusion of agreements with sub-processors

A processor must impose on its sub-processor, by means of a contract or other legal document, the same obligations set out in its agreement with the controller. Please see issue 11 of this series for more information on processor agreements.

When concluding a sub-processor agreement, please ensure that any specific obligations imposed by the controller are, where necessary, reflected back to back in the sub-processing agreement.

3.  Recordkeeping of processing activities by the controller

Please see issue 13 of this series for more information on the recordkeeping obligation.

4.  Co-operation with the supervisory authority

5.  Implementation of appropriate technical and organizational measures

6.  Notification of a data breach to the controller

Please see issue 12 of this series for more information on data breach notifications.

7.  Appointment of a data protection officer

Please see issue 3 of this series for more information on the appointment of a data protection officer.

Obligations resulting from the data processor agreement

It follows from the controller's obligation to only work with processors that can provide sufficient guarantees of GDPR compliance and to conclude a written data processing agreement with each that a processor must:

  • request the controller's authorization before working with a sub-processor;
  • comply with the controller's instructions regarding the processing; in this respect, please note that if the processor processes personal data in a manner that goes beyond the controller's instructions, the processor will be considered a controller and consequently be subject to all obligations of the GDPR incumbent on controllers for the relevant processing activity.
  • take the appropriate technical and organizational measures to protect personal data;
  • ensure that all persons authorised to process personal data are subject to appropriate confidentiality obligations;
  • assist the controller in ensuring compliance with its obligations under the GDPR (including the performance of data protection impact assessments);
  • delete or return all personal data to the controller at the end of the provision of services, unless a statutory retention obligation applies; and
  • make available to the controller all information necessary to demonstrate compliance with its obligations under the data processing agreement and allow audits by the controller (or an auditor appointed by the latter). 

Interesting information

The French Data Protection Authority, the CNIL, has recently issued an interesting guide for processors which is available in French.

Relevant provisions

Articles 27, 28, 30, 31, 32, 33 and 37