Do you use a processor to process or are you a processor who processes personal data?

As was discussed in an earlier blog, there is a distinction between a controller and a processor. 

  • A controller determines the purposes and means of processing of personal data.  The controller, taking into account the nature, scope, context, and purpose of the processing and the risks of varying likelihood and severity for the rights and freedoms of individuals, must implement appropriate technical and organizational measures.
  • A processor processes personal data on behalf of the controller. 

Under the GDPR, it is important to know whether you use a processor to process personal data or whether you are a processor who processes personal data.  The reason is that the GDPR requires the controller to obtain from the processor certain promises before the controller can use a processor.  Likewise, if you are a processor, the GDPR requires you to make certain promises to the controller before you can act as a processor and requires you to obtain from sub-processors certain promises before you can use them as sub-processors.  

Until it has obtained the prior specific or general written authorization of the controller, the processor cannot engage a sub-processor.  Where the prior written authorization is general, the processor must inform the controller of any intent to add or replace a sub-processor.  This notice is so the controller has the opportunity to object to any change in sub-processors. 

If a processor determines the purposes and means of processing of personal data, then the processor will be considered to be a controller with respect to the processing.

Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers.  Joint controllers must set forth their respective roles and responsibilities with respect to individuals, but individuals may exercise their rights against each of the joint controllers.

The processor, and any person acting as an agent of the controller or the processor, who has access to personal data, cannot process that personal data unless instructed to do so by the controller or unless required to do so by law.

This blog is the 22nd in a series of blogs that explains, in bit size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple,, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one the topics in GDPRsimple.

Next blog:  What kind of agreements do you need if you are a processor or use a subprocessor?

Leave a comment

Your email address will not be published. Required fields are marked *