Under the General Data Protection Regulation (GDPR), processors (i.e. organisations processing personal data on behalf of a third party) is subject to new obligations.
Indeed, before the GDPR, processors were only contractually liable to the controller on behalf of which they processed personal data, provided there was a written contract between them. The Authority could not audit or sanction them.
Since the GDPR has entered into force, processors bear together with controllers a part of the responsibilities, though these responsibilities remains limited.
As a consequence, a supervisory authority is now allowed to audit and sanction directly a processor in breach of its GDPR obligations.
Under the GDPR, processors must:
- Hold a record of the data processing operations carried out on behalf of the controller;
- Implement the necessary security procedures and measures;
- Notify the Controller in case of a security breach;
- Implement the necessary procedures to assist the controller with any individual’s request (subject access request, erasure, portability etc.);
- Challenge the controller’s instructions when it considers them against the law (the extent of this obligation is not clear but we can imagine that in case of massive or obvious breach of the GDPR, the processor might be implicated and sanctioned by the authorities); and
- Obtain the controller’s prior consent before subcontracting and enter into a contract with the sub-contractor, which contains similar provisions as those in the contract entered into with the controller.
Processors should consider adhering to a code of conduct or obtain certification so that it can more easily prove its compliance with GDPR and reduce its liabilities in case of a breach. These codes of conduct and certification should be developed very soon by the Authorities and authorised independent companies.