Often a third party, data processors enact the decisions made by data controllers. Article 4 defines processors as:
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
As they don’t dictate the nature of processing, data processors hold less responsibility compared to data controllers. However, they are still held to a fairly strict set of guidelines, outlined by GDPR Article 28.
Though not an exhaustive list, these guidelines dictate that:
- Processors must cultivate a technical and organizational environment that ensures compliant processing.
- Processors may not contract their work to another processor unless the data controller explicitly agrees. If there are to be any changes to the processing agreement, the processor must inform the controller—giving them a chance to object.
- Processing may only occur under contract with a controller. The contract must outline the nature, duration, and purpose of processing, as well as the types of data and data categories that will be processed.
For a full list of data processor requirements, check out Article 28.