In detail

What responsibilities does a controller have when using a processor?

The controller is responsible for assessing that its processor is competent to process personal data in line with the GDPR’s requirements. This assessment should take into account the nature of the processing and the risks to the data subjects. This is because Article 28(1) says a controller must only use a processor that can provide “sufficient guarantees” (in particular in terms of its expert knowledge, resources and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the GDPR and protects the rights of individuals.

Some examples of the considerations controllers should have when assessing whether the processor provides “sufficient guarantees” could include:

  • the extent to which they comply with industry standards, if these apply in the context of the processing;
  • whether they have sufficient technical expertise to assist the controller, eg in carrying out obligations under Articles 32-36 of the GDPR (technical measures, breach notifications and DPIAs);
  • providing the controller with relevant documentation, eg their privacy policy, record management policy and information security policy; and
  • adherence to an approved code of conduct or a certification scheme (when they become available).

This is not an exhaustive list, and ultimately it is for the controller to satisfy itself that the processor provides sufficient guarantees in the context of the processing. Whether the guarantees are sufficient will depend on both the circumstances of the processing and the risk posed to rights of individuals.

Once the controller has chosen a suitable processor, it must put in place a contract or other legal act that meets all the requirements of Article 28(3) and give the processor documented instructions to follow (either in the contract or separately).

However, the controller’s responsibilities do not end there. Controllers should ensure a processor’s compliance on an ongoing basis, in order for them to satisfy the accountability principle and demonstrate due diligence. In particular, Article 28(3)(h) explicitly requires the processor to allow for and contribute to audits and inspections, carried out either by the controller or a third party appointed by the controller. The methods used to monitor compliance and the frequency of monitoring will depend on the circumstances of the processing.

What is a controller’s liability when it uses a processor?

A controller is primarily responsible for its own compliance and ensuring the compliance of its processors. This means that, regardless of the terms of the contract with a processor, the controller may be subject to any of the corrective measures and sanctions set out in the GDPR. These include orders to bring processing into compliance, claims for compensation from a data subject and administrative fines. For more details about how we exercise our powers, please see the taking action page on our website.

An individual can bring claims directly against a controller if the processing breaches the GDPR, in particular where the processing causes the individual damage.

A controller will be liable for any damage (and any associated claim for compensation payable to an individual) if its processing activities infringe the GDPR.

However, a controller will not be liable for damage resulting from a breach of the GDPR if it can prove it was not in any way responsible for the event giving rise to the damage.

If a processor is involved in the processing, the individual making the claim for compensation can claim against either party. If a controller has to pay full compensation for damage suffered by individuals, it may be able to claim back all or part of the amount of compensation from a processor involved in the processing, to the extent that the processor is at fault.