Data processors and third parties

AuthorMichèle Finck
Pages56-59
STOA| Panel for the Future of Science and Technology
56
5.Data processors and third parties
This section briefly reflects on two other categories of actors under the GDPR, namely data
processors and third parties.
Article 4(8) GDPR defines the data processor as 'a natural or legal person, public authority, agency
or other body which processes personal data on behalf of the controller'.369The data processor
is accordingly an entity that carries out the actual personal data processing under the instruction of
the data controller, meaning that the latter and not the processor exercise determinative control
over the means and purposes of processing. It is important to stress that not every personal data
processing operation involves a data processor as the controller can itself carry out the processing.
As such, the existence of a processor 'depends on a decision taken by the controller'.370
Pursuant to the Article 29 Working Party, numerous elements ought to be taken into account to
determine whether someone is a data controller or processor. These include (i) the level of prior
instructions received from the data controller (which determines the margin of manoeuvre left to
the data processor), and (ii) the data controller's monitoring of the execution of the service. Indeed,
a constant and careful supervision by the controller 'provides an indication that the controller is still
in full and sole control of the processing operations'; and (iii) the 'visibility and image' given by the
controller to the data subject as well as the expectations the data subject has on the basis of such
visibility'.371In some cases, it may also be appropriate to take into account the traditional role and
professional expertise of the service provider, which may entail its qualification as a data
controller.372
The processor has a limited number of obligationsunder the GDPR. Pursuant to Article 30(2)
GDPR, the processor (and, where applicable, its representative) shall maintain a record of 'all
categories of processing activities carried out on behalf of the controller.373This should contain (i)
the name and contact details of the processor or processors as well as of eachcontroller on behalf
of which they are acting (and, where applicable, the controller or processor's representative and
data protection officer).374Under certain circumstances, the processor must also designate a data
protection officer.375The established records should reflect the categories of processing that are
carried out on behalf of the controller, and where applicable, transfers of personal data to third
countries or international organisations.376Where possible, there should also be a general
description of the 'technical and organisational security measures' that are referred to in Article 32(1)
GDPR.377These records shall be 'in writing, including in electronic form'.378
It is moreover the duty of the controller or processor (and, where applicable, their representative) to
make these records available to the supervisory authority on request.379Where a data breach has
occurred, the processor must moreover notify the controller 'without undue delay' after becoming
369Article 4 (8) GDPR.
370Article 29 Working Party, Opinion 1/2010 on the concepts of “controlle r” and “processor” (WP 169) 00264/10/EN, 1.
371Ibid, 28.
372Ibid, 24.
374Article 30(2)(a) GDPR.
376Article 30(2)(b) and (c) GDPR.
377Article 30(2)(d) GDPR.

Get this document and AI-powered insights with a free trial of vLex and Vincent AI

Get Started for Free

Unlock full access with a free 7-day trial

Transform your legal research with vLex

  • Complete access to the largest collection of common law case law on one platform

  • Generate AI case summaries that instantly highlight key legal issues

  • Advanced search capabilities with precise filtering and sorting options

  • Comprehensive legal content with documents across 100+ jurisdictions

  • Trusted by 2 million professionals including top global firms

  • Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

vLex

Unlock full access with a free 7-day trial

Transform your legal research with vLex

  • Complete access to the largest collection of common law case law on one platform

  • Generate AI case summaries that instantly highlight key legal issues

  • Advanced search capabilities with precise filtering and sorting options

  • Comprehensive legal content with documents across 100+ jurisdictions

  • Trusted by 2 million professionals including top global firms

  • Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

vLex

Unlock full access with a free 7-day trial

Transform your legal research with vLex

  • Complete access to the largest collection of common law case law on one platform

  • Generate AI case summaries that instantly highlight key legal issues

  • Advanced search capabilities with precise filtering and sorting options

  • Comprehensive legal content with documents across 100+ jurisdictions

  • Trusted by 2 million professionals including top global firms

  • Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

vLex

Unlock full access with a free 7-day trial

Transform your legal research with vLex

  • Complete access to the largest collection of common law case law on one platform

  • Generate AI case summaries that instantly highlight key legal issues

  • Advanced search capabilities with precise filtering and sorting options

  • Comprehensive legal content with documents across 100+ jurisdictions

  • Trusted by 2 million professionals including top global firms

  • Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

vLex

Unlock full access with a free 7-day trial

Transform your legal research with vLex

  • Complete access to the largest collection of common law case law on one platform

  • Generate AI case summaries that instantly highlight key legal issues

  • Advanced search capabilities with precise filtering and sorting options

  • Comprehensive legal content with documents across 100+ jurisdictions

  • Trusted by 2 million professionals including top global firms

  • Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

vLex

Unlock full access with a free 7-day trial

Transform your legal research with vLex

  • Complete access to the largest collection of common law case law on one platform

  • Generate AI case summaries that instantly highlight key legal issues

  • Advanced search capabilities with precise filtering and sorting options

  • Comprehensive legal content with documents across 100+ jurisdictions

  • Trusted by 2 million professionals including top global firms

  • Access AI-Powered Research with Vincent AI: Natural language queries with verified citations

vLex

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT