With the new Data Protection Regulation applicable from May 2018 (GDPR), data processors (i.e. companies, public authorities processing personal data on behalf of a third party) will have new responsibilities.
So far, data processors had only a contractual liability vis-à-vis the data controller it processed personal data on behalf of provided there were a written contract between them.
From now on, data processors are now partially responsible of the processing they are in charge of even though it is not the same level of responsibility as that of data controllers.
As a consequence, a supervisory authority is now allowed to audit and sanction directly a processor in breach of its obligations under the GDPR.
From May 2018, data processors will have to:
- Hold a record of the data processing performed on behalf of the controller.
- Implement the necessary Security procedures and measures
- be able to notify the Controller in case of security breach.
- Implement the necessary procedures to assist the data controller with any individual’s request (subject access request, erasure, portability etc.)
- Be able to challenge the controller’s instructions when considered against the law (the extent of this obligation is not clear but we can imagine that in case of massive or obvious breach of the GDPR, the data processor might be implicated and sanctioned by the authorities).
- Ensure not to subcontract with a sub data processor without the necessary controller’s consent or prior information and without entering into a contract with the data processor containing similar provisions as the ones in the contract entered into with the data controller.
A data processor should think to adhere to a code of conduct or obtain a certification to prove compliance with the GDPR so that it can more easily prove its compliance and reduce its responsibilities in case of breach. These codes of conduct and certification should be developed very soon by the Authorities and some authorised independent company