Data processors and third parties

• Author: Michèle Finck
• Pages: 56-59

STOA | Panel for the Future of Science and Technology

56

5. Data processors and third parties

This section briefly reflects on two other categories of actors under the GDPR, namely data

processors and third parties.

Article 4(8) GDPR defines the data processor as 'a natural or legal person, public authority, agency

or other body which processes personal data on behalf of the controller'.369 The data processor

is accordingly an entity that carries out the actual personal data processing under the instruction of

the data controller, meaning that the latter and not the processor exercise determinative control

over the means and purposes of processing. It is important to stress that not every personal data

processing operation involves a data processor as the controller can itself carry out the processing.

As such, the existence of a processor 'depends on a decision taken by the controller'.370

Pursuant to the Article 29 Working Party, numerous elements ought to be taken into account to

determine whether someone is a data controller or processor. These include (i) the level of prior

instructions received from the data controller (which determines the margin of manoeuvre left to

the data processor), and (ii) the data controller's monitoring of the execution of the service. Indeed,

a constant and careful supervision by the controller 'provides an indication that the controller is still

in full and sole control of the processing operations'; and (iii) the 'visibility and image' given by the

controller to the data subject as well as the expectations the data subject has on the basis of such

visibility'.371 In some cases, it may also be appropriate to take into account the traditional role and

professional expertise of the service provider, which may entail its qualification as a data

controller.372

The processor has a limited number of obligations under the GDPR. Pursuant to Article 30(2)

GDPR, the processor (and, where applicable, its representative) shall maintain a record of 'all

categories of processing activities carried out on behalf of the controller.373 This should contain (i)

the name and contact details of the processor or processors as well as of each controller on behalf

of which they are acting (and, where applicable, the controller or processor's representative and

data protection officer).374 Under certain circumstances, the processor must also designate a data

protection officer.375 The established records should reflect the categories of processing that are

carried out on behalf of the controller, and where applicable, transfers of personal data to third

countries or international organisations.376 Where possible, there should also be a general

description of the 'technical and organisational security measures' that are referred to in Article 32(1)

GDPR.377 These records shall be 'in writing, including in electronic form'.378

It is moreover the duty of the controller or processor (and, where applicable, their representative) to

make these records available to the supervisory authority on request.379 Where a data breach has

occurred, the processor must moreover notify the controller 'without undue delay' after becoming

369 Article 4 (8) GDPR.

370 Article 29 Working Party, Opinion 1/2010 on the concepts of “controlle r” and “processor” (WP 169) 00264/10/EN, 1.

371 Ibid, 28.

372 Ibid, 24.

373 Article 30(2) GDPR.

374 Article 30(2)(a) GDPR.

375 Article 37 GDPR.

376 Article 30(2)(b) and (c) GDPR.

377 Article 30(2)(d) GDPR.

378 Article 30(3) GDPR.

379 Article 30(4) GDPR.