Who are these actors?
A processor is defined under Art. 4(8) GDPR as a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. This demonstrates that a wide variety of entities can be considered a processor provided it is a separate entity than the controller and that the processing is taking place on behalf of the controller. Controllers may also process data themselves, of course. However, they will remain as controllers should they not only process the data but determine the means and purposes of the processing as well.
What are their tasks?
The processor is processing personal data on behalf of the controller. The processor has to implement appropriate organizational and technical measures to ensure data protection. The processing itself can be both, a specific and detailed task or a more general processing. A controller therefore can also decide to only delegate a specific part of the processing to an external processor, and conduct parts of the processing itself.
The processing of data happens under the instructions of the controller. Data should therefore not be processed otherwise than what has been agreed upon with the controller.
A processor may appoint sub-processors but will need written consent by the controller for this. The sub-processor(s) should process the data on the same terms as the original processor.
What are their rights and responsibilities?
The processor acts under the instruction and terms of the controller. The processor is however allowed to use and choose, to a certain degree, the technical and organizational means that are deemed most suitable for the processing. This level of influenceof the processor is however not defined, meaning that the most secure option would be to agree by contract on a set of means between processor and controller.A distinction can also be made between essential (which data, from whom, how long, who should access it) and non-essential (practical, technical aspects of the processing) means of processing. The essential means are clearly to be provided by the controller as they are linked to the purposes of the processing. The non-essential means may be discussed by the processor in order to implement and execute the processing. However, as it has been discussed before, this issue has to be on a case-by-case basis.
With respect to the responsibilities, the processor has to provide “sufficient guarantees” (Art.28(1) GDPR)that the processing meets the requirements of the GDPR. These guarantees are essential as the controller has the duty to only use processors that can provide such guarantees and demonstrate GDPR compliance and the protection of data subjects. Art 28(3)(a-h) GDPR lists all the information that should be included in a written contract between processor and controller before any data is processed. That means that the processor must only act upon the controllers written instructions and guarantees data security and confidentiality as well as a documentation of all processing activities. Art.30(2) GDPR states that each processors needs to “maintain a record of all categories of processing activities carried out on behalf of a controller”.
The research institution A has gathered a large database that contains personal data of data subjects through a questionnaire. A know assigns a data analytics company B to analyze the data in order to find hidden relationships within the data. In this example, A acts as the controller as A determines the purposes and means of processing, while B acts as the processor that carries out the processing on behalf of the controller. Data analytics company B now decides to use the personal data for their own purposes, which have not been contractually agreed upon.
With this further processing of the personal data, B becomes a controller for this new type of processing. With these actions, B also infringes on the GDPR. Consequently, institution B is in the situation to be imposed with administrative fine for any infringement of GDPR that might come out of new processing including possible personal data breach. Also, in that case, institution A bears no responsibility for mentioned incident. Institution A should have chosen a more suitable processor and should have obtained guarantees on the compliant processing of the data beforehand. Contractual agreements are used to clearly define roles, rights and obligations/responsibilities of all parties for the processing of the personal data.
1For more information on this level of competence and a distinction between essential and non-essential means see: EDBP. https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf p.14 ↑