Someone else (a natural or legal person or any other body) may process personal data on your behalf provided there is a contract or other legal act. It is important that the processor you appoint provides sufficient guarantees to implement appropriate technical and organisational measures to ensure that the processing will meet the standards of the General Data Protection Regulation (GDPR) and to guarantee the protection of the rights of the individuals.
The appointed processor can’t subsequently appoint another processor without your prior, specific or general written authorisation. The contract or legal act between your company/organisation and the processor should include the following elements:
- the processing can take place only on documented instructions from the controller;
- the processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- the processor must offer a minimal security level defined by the controller;
- the processor must assist in ensuring compliance with the GDPR.
A construction company is using a sub-contractor for specific construction work, and provides it with the contact details of the clients where the construction work needs to be done. The sub-contractor further uses the data to send the clients marketing material. The sub-contractor in that case doesn’t qualify merely as a ‘processor’ under the GDPR as the sub-contractor is not only processing personal data on behalf of the construction company, but also further processing it for its own purposes. The sub-contractor is therefore acting as a ‘data controller’.
You’re a retail company that decides to store a back-up version of your client database on a cloud server. To that end you enter into a contract with a cloud provider known for its data protection standards and which also has a certified system of encryption of data. The cloud provider is your processor as by storing the personal data of your clients in its servers it will be processing personal data on your behalf.
- Article 28 and Recital (81) of the GDPR