Article 28-Processor

image credit: cyberwatching.eu

As per Article 4 of the GDPR, a processor is defined as “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”

From this definition, we can understand that during the processing, the controller is the main entity and the processor is like a subordinate of the controller. On the instructions of the controller, the processor processes data. 

Article 28 prescribes some other important requirements for a processor which are as follows:

  1. A processor that can adhere and maintain standards of data protection and can ensure the protection of the rights of the data subject shall be appointed by a controller.
  1. A processor must appoint another processor only with the prior written consent of the controller. The controller must have the opportunity to object to changes in the appointment of the processor.
  1. The relationship between the controller and the processor shall be governed by a contract or any other legally binding relationship which details the subject matter of the processing, its duration, nature and scope of processing, the category of personal data being processed and the rights of the controller. Apart from this, the following items must also be taken into consideration:
  • The processor can process and transfer personal data only on the documented request of the controller
  • Strict confidentiality shall be maintained by the individuals processing personal data
  • Appropriate measures shall be taken to be compliant with GDPR
  • All personal data shall be deleted or returned by the processor to the controller at the latter’s request
  • Audit of the processor shall be carried out by the controller
  1. In case of another processor being appointed by the processor on behalf of the controller, it is imperative that the subsequent processor shall also have to fulfill its obligations as stipulated in the contract.
  1. Adherence by the processor to an approved code of conduct or a certification shall demonstrate the worthiness of the processor in being compliant with the norms. 
  1. In case if the processor determines the means and purposes of the processing, then it shall be deemed to be a controller

The GDPR is very strict even towards an entity that shall only be following the instructions of the controller. In this way, any entity handling personal data cannot escape the scrutiny of this regulation.