We have explained several times in this series of articles about the role and responsibilities of the controller in data processing. This time, we will focus on another data processing role – the processor, and we will also explain what the manager should consider when choosing such an “assistant” in data processing.
A processor is a person appointed by the controller (organization, company), who is not an employee, or a company that performs data processing on behalf of the controller, based on the purposes of data processing determined by the controller. In order for an organization to be considered a processor, it must meet two basic conditions – it must be a separate and independent organization and it must process personal data on behalf of the controller.
An employee of the organization is not considered a processor as long as he has a legal employment relationship with the organization. Respectively – an employee of the specific organization cannot be a processor.
The manager usually appoints a processor when he realizes that tasks related to data processing need to be performed in the organization, but it lacks the necessary knowledge, resources, or the tasks cannot be performed for some other reason. Thus, the organization chooses a processor that in turn has these missing resources at its disposal.
Example. The company concludes a contract with an outsourced accounting specialist to work with the company’s external and internal finances. Since the accountant processes the personal data held by the company on behalf of the company and on the basis of a mutual controller-processor agreement, the role of the outsourced accountant in this case is the processor, while the company is the controller.
Since the controller is basically responsible for the data processing, including the application of the appropriate legal basis, the processor should also be chosen who would be reliable and would not cause harm to people whose personal data is at the controller’s disposal, and would ensure the protection of their rights. The selected processor must be able to demonstrate that it will perform its activities in accordance with the requirements of the Data Regulation and apply appropriate measures for processing security.
Finding such a processor would require a feasibility study. Research can be done by assessing:
- compliance of the set of security requirements (including cyber security) chosen by the processor with the controller’s wishes and needs (implemented requirements meet or exceed what is necessary to reduce/prevent risks to data protection);
- reputation (for example, whether the processor has not previously suffered from a breach of personal data protection);
- responsibility towards people whose data is processed (procedures and readiness to fulfill obligations);
- knowledge of the field.
Such information can be collected, for example, from information and documents included on the website of the potential processor, publicly available information, as well as by requesting it from the processor itself. There must be confidence that the processor will not cause harm to the people whose data will be processed.
Finally, in order for the relationship between the controller and the processor to be legally defined and comply with the obligation set out in the Data Regulation, both parties must enter into a mutual agreement or otherwise determine the mutual relationship in writing. The signing of the agreement indicates the readiness of both parties to cooperate, and also serves as a confirmation that the processor will process the data at its disposal in compliance with the provisions of the agreement and data protection regulations.
The contract must contain clear information about the subject of the contract, the data to be processed, the purpose for which the controller transfers this data to the processor for processing, as well as the duration of the processing, the rights and obligations of the processor in the specific processing. The controller has the right to regulate and determine the scope of the processing and the result to be achieved, and the processor must comply with these conditions. In any case, both parties perform data processing in accordance with the requirements of the Data Regulation.
When a mutual agreement has been concluded, the manager transfers to the processor the relevant amount of data (only necessary for the achievement of the purpose) and other information necessary for full and secure data processing. Also, the manager informs the processor in time if the processing has to be stopped sooner than stipulated in the contract or if some other case has occurred, due to which changes in data processing have to be made.
We will explain the processor’s responsibility when processing the controller’s personal data and the necessary actions in one of the next #DVIexplains.
More information on the definition and distribution of the roles of controller and processor – in the guidelines of the European Data Protection Board no. 07/2020 on the concepts of controller and processor in GDPR.
https://www.dvi.gov.lv/lv/jaunums/dviskaidro-kas-parzinim-jazina-norikojot-apstradataju