Data processors and third parties

AuthorMichèle Finck
STOA | Panel for the Future of Science and Technology
5. Data processors and third parties
This section briefly reflects on two other categories of actors under the GDPR, namely data
processors and third parties.
Article 4(8) GDPR defines the data processor as 'a natural or legal person, public authority, agency
or other body which processes personal data on behalf of the controller'.369 The data processor
is accordingly an entity that carries out the actual personal data processing under the instruction of
the data controller, meaning that the latter and not the processor exercise determinative control
over the means and purposes of processing. It is important to stress that not every personal data
processing operation involves a data processor as the controller can itself carry out the processing.
As such, the existence of a processor 'depends on a decision taken by the controller'.370
Pursuant to the Article 29 Working Party, numerous elements ought to be taken into account to
determine whether someone is a data controller or processor. These include (i) the level of prior
instructions received from the data controller (which determines the margin of manoeuvre left to
the data processor), and (ii) the data controller's monitoring of the execution of the service. Indeed,
a constant and careful supervision by the controller 'provides an indication that the controller is still
in full and sole control of the processing operations'; and (iii) the 'visibility and image' given by the
controller to the data subject as well as the expectations the data subject has on the basis of such
visibility'.371 In some cases, it may also be appropriate to take into account the traditional role and
professional expertise of the service provider, which may entail its qualification as a data
The processor has a limited number of obligations under the GDPR. Pursuant to Article 30(2)
GDPR, the processor (and, where applicable, its representative) shall maintain a record of 'all
categories of processing activities carried out on behalf of the controller.373 This should contain (i)
the name and contact details of the processor or processors as well as of each controller on behalf
of which they are acting (and, where applicable, the controller or processor's representative and
data protection officer).374 Under certain circumstances, the processor must also designate a data
protection officer.375 The established records should reflect the categories of processing that are
carried out on behalf of the controller, and where applicable, transfers of personal data to third
countries or international organisations.376 Where possible, there should also be a general
description of the 'technical and organisational security measures' that are referred to in Article 32(1)
GDPR.377 These records shall be 'in writing, including in electronic form'.378
It is moreover the duty of the controller or processor (and, where applicable, their representative) to
make these records available to the supervisory authority on request.379 Where a data breach has
occurred, the processor must moreover notify the controller 'without undue delay' after becoming
369 Article 4 (8) GDPR.
370 Article 29 Working Party, Opinion 1/2010 on the concepts of “controlle r” and “processor” (WP 169) 00264/10/EN, 1.
371 Ibid, 28.
372 Ibid, 24.
373 Article 30(2) GDPR.
374 Article 30(2)(a) GDPR.
375 Article 37 GDPR.
376 Article 30(2)(b) and (c) GDPR.
377 Article 30(2)(d) GDPR.
378 Article 30(3) GDPR.
379 Article 30(4) GDPR.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT