Contact
If you entrust a third party (a natural or legal person who is not part of your organisation) with a project or service that involves processing personal data, you will need to make a processing order to regulate the commitments between you, as data controller, and the person, company or organisation that acts as the data processor.
Therefore, the relationship between the data controller and the data processor must be regulated by a contract or by another legal act in accordance with the law of the EU or the member states. In any case, it must legally bind the data processor with respect to the data controller and must establish, at a minimum:
- The object.
- The duration.
- The nature.
- The purpose of the processing.
- The type of personal data.
- The categories of data subjects.
- The rights and duties of the data controller.
Controllers must only choose processors who offer sufficient guarantees to apply appropriate technical and organisational measures, so that the processing complies with the GDPR requirements. This provision also extends to data processors when they subcontract processing operations.
In accordance with the principle of proactive responsibility, the data controller must take appropriate measures, including the selection of data processors, so as to guarantee and be able to demonstrate that the processing is carried out in accordance with the GDPR.
When Law 9/2017 of 8 November, on public sector contracts (LCSP for its Catalan initials) is applied, it must be considered whether the contract involves the contractor's access to personal data controlled by the contracting entity, whereby the contractor is considered to be the data processor. In these cases, the regulations established in the GDPR also applies. Likewise, it is necessary to consider what is established under Article 122, in relation to the specifications of individual administrative clauses.
It should be borne in mind that processing commission contracts and agreements established before 25 May 2018 remain valid until their stated expiration. In any case, during the validity of the contract or agreement, either party may require the other to amend the contract to adapt it to the provisions of the GDPR.
Obligations of the data processor
If you are the data processor, you are obliged to collaborate with the data controller in the fulfilment of their obligations, always within the framework of the services you are commissioned with. Thus, you must ensure that personal data is processed correctly, and if you consider that an instruction infringes data protection regulations, you must immediately inform the data controller.
Specifically, you must:
- Implement suitable technical and organisational measures to guarantee a level of security appropriate to the risk of the processing, taking into account the state of the art, the costs of application and the nature, scope, context and purposes of the processing, as well such as risks of varying probability and severity to the rights and freedoms of natural persons.
- Keep a record of all categories of processing activities carried out.
- Appoint a data protection officer when the law so requires.
- Notify security breaches to the data controller.