In this seventh episode of the blog series “Exploring the GDPR” I will discuss the processor and the processor agreement. These terms were already used in the Dutch Personal Data Protection Act (WBP).
Just as in the WPB, a processor still refers to the party acting on behalf of the controller in the processing of personal data. The processing of personal data by the processor is therefore always a derivative of the processing by the controller. The crucial difference consists mainly of the fact that the controller determines the purpose and means of the processing. The processor explicitly does not. This may refer to a payrolling firm that provides the payroll administration for your company and needs to process employee data. Here the employer is the controller who determines the purpose and basis for the processing (implementation of the employment contract), and the payrolling firm is the processor.
The controller and the processor must conclude an agreement. The GDPR sets this strict requirement and also attaches various conditions to such a processor agreement. The mandatory items in a processor agreement are:
- specification of the processing that will take place and the purpose thereof;
- specification of the categories of data subjects (the persons whose data are being processed);
- confirmation that processing takes place based on written instructions from the controller;
- a guarantee that processors observe confidentiality;
- confirmation that the processor takes care of the technical and organizational security measures, in order to ensure a “risk-adjusted” security level (of which the Regulation mentions examples, such as pseudonymisation, encryption, permanent information security, restoration of availability/access to data in the event of incidents, and regular security tests);
- confirmation that the controller will give prior specific or general written consent to the processor to engage a sub-processor (on which sub-processor the same level of obligations must be imposed by the processor as those arising from the processor agreement);
- confirmation that the processor will assist the controller in fulfilling its obligation to comply with requests from the data subject (such as removal, modification, viewing or provision of personal data in a standard format);
- confirmation that the processor will assist the controller in fulfilling its other obligations such as the reporting of data leaks and performance of a privacy impact assessment;
- confirmation that the processor, after completion of the processing services, will return the personal data and remove any existing copies;
- confirmation that the processor will cooperates towards an audit by the controller in which the controller will checks whether the obligations arising from the processor agreement are fulfilled;
Under the WPB regime, it is still possible for the processor to exclude liability (in whole or in part) in a contractual sense. This does not seem possible under the GDPR because the GDPR determines that the processor may be addressed directly. This applies to civil-law liability for any damage suffered in case of a breach of the Regulation by the processor or infringement by the processor that may be blamed on the processor, and to fines imposed by the supervisor (in the Netherlands this is the Dutch Data Protection Authority) as a consequence of breach of the GDPR.
The GDPR has made the duties of the processor much more labour-intensive than under the regime of the WPB. Entering into a written processor agreement is crucial under the GDPR and forms part of the obligation to record the processing of personal data as best as possible. The following blog is about this: “Exploring the GDPR #8: Accountability and documentation obligation”. If there is no processor agreement, this may result in a fine up to a maximum of € 10 million or 2% of the worldwide annual turnover. It is therefore important to make an inventory of the processors used by your organization, or perhaps you are a processor yourself. In some cases there may also be a “co-controller”.
Are you in doubt as to whether you are a controller or a processor? Then contact the privacy lawyers of Ten Holter Noordam. We will also be happy to assist you in drafting your processor agreements. Make sure that also the existing agreements are GDPR-proof when the GDPR enters into force on 25 May 2018.