The data processor is not new to data protection regulation; the figure appears in the current LOPD and is extensively developed in the RLOPD. In practice the term is applied with some frequency, as it serves to help regulate the relationship with third parties that provide services on behalf of another and, to do so, must have access to personal data.
The GDPR defines the processor as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The types of processor are many and varied, and depend on the nature of the service they provide.
The GDPR reinforces the position of the processor with respect to the safeguarding of personal data protection. It regulates new obligations of collaboration for the processor to assist the controller in ensuring compliance with the controller’s obligations, at all times within the framework of the services contracted. It also establishes the processor’s obligation to ensure the personal data are processed correctly, as it stipulates that if the processor considers an instruction infringes data protection legislation that processor must immediately inform the controller.
Moreover, the GDPR regulates a series of obligations that the processor must fulfil. Specifically:
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art and the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons (Article 32.1, GDPR);
- maintain a record of all categories of processing activities carried out;
- designate a data protection officer in the cases indicated in Article 37.1 of the GDPR;
- notify the controller of any data breach.
The GDPR also reinforces the responsibility of the controller, as this figure must choose a processor that provides sufficient guarantees to implement the technical and organisational measures which will ensure processing meets the requirements of the Regulation and safeguards the protection of the data subject’s rights.
The relationship between controller and processor must be governed by a contract or other legal act under Union or Member State law, which is binding on the processor with regard to the controller and which sets out, at least, the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
The minimum content of this contract is established in Article 28.3 of the GDPR.
Related this, you can consult the Data Processor Guide (Catalan version available) and also the contractual clauses approved by the European Commission through Execution Decision (EU) 2021/915, of June 4, 2021.