Wondering about the data processor meaning?
Who is a data processor under GDPR?
What are the responsibilities of a data processor?
In this article, we will break down the concept of processors in detail so you know all there is to know about it.
What is a data processor?
A data processor is an individual or company acting on behalf of a data controller.
The data processor processes personal data strictly on behalf of a data controller and based on the controller’s instructions.
A data processor does not determine the purpose of the processing of personal data nor how the data is collected.
The data processor is generally a vendor, supplier or service provider hired by the data controller to handle a specific task, function or provide a specific service to the controller.
Article 4(8) GDPR defines a processor as:
“a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
The key takeaway from this definition is that a data processor is:
- A natural person
- A legal person
- A public authority, agency or other body
- Personal data
- On behalf
Let’s look at each of the different aspects of the definition of the processor.
A natural person
A processor can be a natural person or an individual.
A natural person is an individual with his or her own legal personality, or a human being, as opposed to a legal entity or a company.
If a natural person processing personal data on behalf of a controller can be considered a data processor.
A legal person
A data processor can be a legal person.
By “legal person” we mean:
- A corporation
- A partnership
- A cooperative
- Unincorporated associations
A legal person is any legal entity, or non-living entity, given a juridical personality and given certain rights as a natural person under the law.
A public authority, agency or body
A processor can also be a public authority, agency or body.
A public authority is an agency created by the government to support the public and the overall economy.
A public agency can be a commission, board, county, city, district or regional district.
A public body refers to corporations and legal entities operated by the state or government.
All of these entities managed, operated or controlled by the government can be data processors.
Data processing can mean pretty much anything under GDPR.
Article 4(2) GDPR defines processing as follows:
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
The definition is very broad as you can see.
Data processing can be done either by automated means or not and it can mean:
- Collection of data
- Recording of data
- Organization of data
- Structuring of data
- Storage of data
- Adaptation of data
- Alteration of data
- Retrieval of data
- Consultation of data
- Use of data
- Disclosure of data
- Dissemination of data
- Making data available
- Alignment of data
- Combination of data
- Restriction of data
- Erasure of data
- Destruction of data
GDPR does not leave anything out!!
Any operation that involves using personal data can be a data processing activity.
Personal data is any information relating to an individual allowing his or her identification, directly or indirectly, from the data gathered or from a combination of data.
The GDPR definition of personal data is interesting as data can be considered personal data if it allows the identification of an individual but also an identifiable person.
It’s a very broad definition and can include many data points about a data subject.
You can read our article on personal data for a more in-depth assessment of what is personal data.
Acting “on behalf” of a controller means that the processing activity should not be in the data processor’s own interests.
Of course, the data processor has a commercial interest to render services to the data controller.
This interest is more with respect to the usage of personal data.
The processor must process the personal data on the instructions of the controller to help the controller achieve its purpose.
The goal is not to achieve another purpose related to the processor.
A data controller is a company collecting personal data and determining the purpose for which personal data is collected and the means used to process the data.
In other words, an individual or a company can be considered a data controller in the following instances:
- It determines why personal data is collected
- It determines how personal data is collected
The term sub-processor is not directly defined under GDPR but you may see it quite often.
GDPR refers to sub-processors by using language like “another processor” or “other processors”.
A sub-processor is a company to whom a processor may delegate tasks and functions.
Just like any organization that may work with outside vendors, suppliers and service providers, data processors run their business the same way as controllers.
They have a need to hire third parties to better run their business and achieve cost benefits or obtain benefits they cannot achieve internally.
When a processor delegates tasks to another company and they are required to provide the personal data received by a data controller, they are hiring a sub-processor.
For example, a controller may hire a software developer who will then hire a hosting company or a cloud storage company allowing it to host the software it will develop.
In this example, the software developer is the data processor and the cloud storage company it hires will be a sub-processor.
A processor must flow down its ‘processor’ obligations to the sub-processor to ensure compliance with GDPR.
The sub-processor, similar to the processor, must act strictly on behalf of the controller and process personal data only as it is instructed.
Data processor responsibility
The adoption of GDPR in May 2018 has expanded a data processor’s liability with regards to the processing and handling of personal data.
The data processor had legal obligations and duties to observe to remain in compliance with GDPR.
The main responsibility of a data processor is to process the personal data it receives strictly based on the instructions of the data controller.
The data processor will also need to take all the proper measures to protect and safeguard personal data.
When hiring a processor, the controller must ensure that the data processor offers sufficient guarantees that it can protect the personal data of data subjects in accordance with the requirements of GDPR.
Technical and organizational measures to protect personal data
Let’s look at a processor’s obligations resulting from GDPR.
Article 28 GDPR is the key provision outlining the processor’s obligations, it states:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
For a controller to retain the services of a processor and remain compliant with GDPR, the processor must provide appropriate technical and organizational measures to meet the requirements of GDPR.
In other words, the processor must be compliant with GDPR.
Hiring of sub-processors
The processor must not hire another processor or sub-processor without the specific and written authorization of the data controller.
If the processor has a general authorization to hire sub-processors, it must nonetheless notify the controller before changing a sub-processor effectively allowing the controller to raise an objection, if any.
Necessity of a contract
The processing of the personal data must be governed by a contract setting out processing activities to be performed by the data processor.
Specifically, the contract must outline the following:
- Scope of processing
- Nature of processing
- Purpose of processing
- Type of personal data processed
- Categories of personal data
- Rights and obligations of the data controller
Just like the controller, the processor must keep record of its data processing activities it has carried out for the controller.
The record must provide sufficient details as required by GDPR.
Particularly, the records of any transfers of personal data to third countries must be kept by data processors.
If required, the processor must cooperate with the supervisory authorities with respect to questions or inquiries about its data processing activities.
Processor’s shared obligations with the controller
The data processor and data controller have some shared obligations under GDPR.
GDPR defines key data processing principles companies must observe when processing data.
These principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Data accuracy
- Storage limitation
- Integrity and confidentiality (security)
Processors and controllers must comply with these obligations to remain in compliance with GDPR.
They share the obligation with one another with respect to the personal data they handle for the data subjects.
Examples of when a company is a data processor
There are many examples of how a company can act as a processor for another.
Here are some examples to help you better understand the potential role of a processor:
- Payroll outsourcing company handling a company’s payroll
- A company offering cloud storage
- A company offering email service
- A company offering hosting services
- A marketing agency running marketing campaigns
- An outsourced call center
- A subcontractor handling a project
There are endless possibilities.
Data controllers are not able to handle every aspect of their business needs efficiently themselves or in-house, it is quite normal and even strategic to hire a specialized firm or company to outsource certain tasks providing cost benefits and other advantages.
Data processor becoming joint data controllers
There are instances when a data processor may inadvertently become a joint controller.
For a data processor to remain as a data processor and not acquire a higher level of GDPR obligations, it must process the data on behalf of the controller and strictly based on the controller’s instructions.
It cannot use personal data for any other purpose.
If it does, it will become a controller for the purpose that goes beyond the mandate given by the controller.
For example, if a company is instructed to run analytics for another, then it’s clear that it’s a processor.
In this case, the processor is not collecting the personal data or determining the purpose or means.
However, if the same company is given personal data to perform analytics and it uses the data with other data to run the analytics, the organization will become a joint controller as it decides what other data to use and how to use it.
Difference between the data processor and the data controller
What is the difference between a data controller and a data processor?
Ownership of personal data
The data processor does not own personal data.
As a result, a data processor cannot claim any rights associated with the data it receives for processing.
The legality of the personal data obtain depends strictly on the data controller.
It is the controller’s responsibility to ensure it can lawfully process data and provide the data to a processor for processing.
The main difference between controller and processor
By definition, a data controller is an organization that determines the purpose of data processing and the means to achieve its purpose.
The data processor, on the other hand, processes personal data given to it for a very specific purpose as mandated by the controller.
For example, a company can outsource its cloud storage environment to a third party.
The third-party, or the processor, obtains personal data strictly for storage purposes and processes the data received only for storage purposes.
Other than that, the processor does not process the data in any other way.
If the data processor uses the data in a manner not authorized by the controller or with other data, then it may become a controller with respect to its ‘new’ processing operations.
Rule of thumb
A good rule of thumb is if an organization follows the instructions of another, then it’s a data processor.
The processor generally works on behalf of another organization and processes personal data as instructed.
If a company does not determine the purpose and means of processing, then it will be a controller.
Difficulty to define who is controller or processor
In some cases, it may be difficult to clearly define a company’s role.
Is the company a data controller or a data processor?
A small business operating with a few employees, a few clients and a few processors is a pretty simple and straightforward setup.
Compliance with GDPR can be manageable.
However, imagine a multi-billion dollar company, operating in many countries in the world, having thousands of partners, departments and millions of tasks.
GDPR compliance difficult raises to a whole new level.
In this real-life complex business environment, the difference between a data processor and controller may get blurry.
Here are some reasons why things can get complex:
- Companies having hundred of departments
- Millions of tasks performed in a company
- Collaboration with hundreds or thousands of processors
- Data processors located outside of the European Union
- Data processors located in countries not considered ‘adequate’
- The ability for data processors to identify an individual based using their own data
Rule of thumb
There may be instances that the role of a data controller or data processor is not clear cut.
Generally speaking, you are a data processor if you:
- Store data for another
- Do analytics for another
- Act on instructions of another
- Don’t collect the data yourself
- Do not have any purpose other than serving the other company’s needs
You are a data controller when:
- You decide how to use the personal data
- You define the means on how to collect personal data
- You select the data processor
- You instruct the processor what you want to delegate
- You give the personal data
- You enable the processor to collect the personal data on your behalf
Working Party 29’s opinion on the concept of “controller” and “processor”
On February 16, 2010, Article 29 Data Protection Working Party issued an opinion on the concept of “controller” and “processor”.
The opinion was issued at the time of the data protection Directive 95/46/EC.
The concepts are worth mentioning.
The Working Party indicated that data controllers are able to exert control on the essential elements of the data processing.
In contrast, data processors are unable to exert control on the essential elements of that processing.
This is more or less the same as what we have under GDPR.
GPDR states that the controller defines the purpose and means for processing personal data and the processor processes personal data strictly on the instructions and on behalf of the controller.