Data Processor

The processor is the natural or legal person, public authority, service or body which processes personal data on behalf of the controller.

The controller must diligently choose a processor that offers sufficient guarantees with regard to the implementation and maintenance of appropriate technical and organisational measures and that guarantees the protection of the rights of the data subjects.

The relationship between the controller and the processor must be established through a contract or similar legal act that binds them, which must be in writing, including in electronic format, and must incorporate the content of article 28.3 of the GDPR.

The minimum content of the contract or agreement must include, among other things, aspects such as:

• Object, duration, nature and purpose of the treatment.
• Types of personal data and categories of interested parties.
• Obligation of the person in charge to process personal data only following documented instructions from the person in charge.
• The duty of confidentiality.
• Conditions for the controller to give their prior specific or general authorisation to subcontracting.
• Security measures.
• The rights of interested parties.
• Where the data goes after the service ends.

Processors have their own obligations under the GDPR, which are not limited to the scope of the contract that binds them to the controller. So, for example:

• They must maintain a record of processing activities
• They must determine the safety measures applicable to the treatments they carry out.
• They must appoint, where appropriate, a data protection officer.

Processors can adhere to codes of conduct or become certified within the framework of the certification schemes provided for by the GDPR.

The processor must comply with the instructions given by the data controller for the provision of the service, especially in relation to the processing of personal data to which it has access as a result of the provision of this service.

The data processor may adopt any organizational and operational decision necessary to provide the service entrusted to them. Under no circumstances can the purposes and uses of the data be varied, as this falls to the data controller, nor can they use them for their own purposes.

If the processor establishes relations with the affected individuals in their own name and without it being clear that they are acting on behalf of the controller, they will be considered responsible for the processing, even if a processing contract or other legal act has been formalised.

If the processing is commissioned within the framework of public sector contract legislation, the contractor will be considered the processor in any case, and the contracting administration will have the status of controller.

If the data processor uses the data for its own purposes, it will also be considered responsible for the processing.

The communication of personal data, within the framework of a data processor agreement, to a country that is not part of the Union is governed by the regulation established in the GDPR for international transfers.

Transfer to a third country cannot in any case mean a reduction in the level of protection of individuals established by the Regulation. This principle also applies to subsequent transfers of personal data from the third country to another third country or to an international organisation.

For the transfer of data to countries that do not guarantee an adequate level of protection, the controller must prove that the processor is able to offer adequate guarantees. In any case, it must guarantee that interested parties have enforceable rights and effective legal actions.