Under the GDPR (General Data Protection Regulation), your organisation’s compliance requirements depend on whether you are a data controller or data processor.
- A data controller is the person or organisation that determines how and why personal data is processed.
- A data processor is the person or organisation that processes personal data on behalf of a data controller.
Many organisations will be both data controller and data processor.
Third-party processor vs ‘third party’
Data processors are generally third-party organisations – that is, they are external organisations that work for or on behalf of data controllers.
However, Article 4(10) of the GDPR defines ‘third party’ as “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data”.
To be clear, these third parties are not the same as third-party processors, which are what this blog is about.
What are third-party data processors responsible for?
One of the key principles of the GDPR is accountability: data controllers must be able to demonstrate that any processing they’re responsible for complies with the six data processing principles set out in Article 5:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Although data controllers are ultimately responsible for their processors’ GDPR compliance, this isn’t to say GDPR compliance isn’t your concern as a data processor, or something you can rely on your controllers to deal with on your behalf.
Article 28 sets out data processors’ responsibilities. Among other obligations, you must:
- Not engage another processor without the controller’s written consent;
- Process personal data only on written instructions from a controller;
- Ensure that anyone who is authorised to process personal data is committed to confidentiality;
- Implement the “appropriate technical and organisational measures” required by Article 32 and provide sufficient guarantees to the controller that you’ve done so;
- Help the controller meet their obligations to fulfil data subjects’ rights;
- Help the controller comply with the GDPR’s requirements relating to:
- Data breach notification;
- DPIAs (data protection impact assessments); and
- Prior consultation.
- Delete or return all personal data to the controller after processing it, and delete any copies unless the law requires you to keep it; and
- Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
All of these things should be included in your contracts with data controllers.
Does the GDPR affect all third-party data processing contracts?
The short answer is ‘yes’. Data controllers are responsible for ensuring that any third-party processors they use comply with the law, so, as a processor, your contract with a data controller will cover GDPR compliance.
As well as the points listed above, your contract will include such things as the:
- Subject matter and duration of the processing;
- Nature and purpose of the processing; and
- Type of personal data and categories of data subjects and the obligations and rights of the controller.
Consequences of non-compliance with the GDPR
Failing to comply with your GDPR processing obligations leaves you open to severe consequences.
The Regulation is backed by a penalty regime of “effective, proportionate and dissuasive penalties”, including administrative fines of up to €20 million or 4% of annual global turnover – whichever is higher.
It also grants data subjects the right to lodge a complaint with the supervisory authority, and the right to an effective judicial remedy against data controllers and processors if they consider their rights to have been infringed by processing that doesn’t comply with the Regulation.
On top of this, the supervisory authority has the power to “impose a temporary or definitive limitation including a ban on processing” (Article 58(2f)) – that is, it can stop you processing personal data altogether, effectively shutting you down.
Live Online GDPR training for data processors
To find out more about your responsibilities under the GDPR – and how to ensure you meet them – why not enrol on our Certified GDPR Foundation Live Online Training Course?