- How much autonomy does a processor have?
- What responsibilities does a processor have in its own right?
- Can a processor be held liable for non-compliance?
- Who is liable if a sub-processor is used?
A processor may make its own day-to-day operational decisions, but Article 29 says it should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by EU or Member State law (in that case it must inform the controller of this legal requirement before the processing, unless that law prohibits it doing so on important grounds of public interest). This is also a required contract term under Article 28(3)(a).
If a processor acts outside of a controller’s instructions in such a way that it decides the purpose and means of processing, then it will be a controller and will have the same liability as a controller.
In addition to the contract terms, a processor also has some direct responsibilities and liabilities under the GDPR. When drawing up and negotiating a contract for data processing, it is good practice for all parties to make sure they understand this.
The parties may also wish to explicitly cover this in the contract, although the GDPR doesn’t require it. For example they may wish to include a clause specifying that nothing in the contract relieves the processor or controller of its own direct responsibilities and liabilities under the GDPR – and to say what these are.
In any case we recommend that both the controller and processor obtain their own professional advice.
For more information about a processor’s direct responsibilities under the GDPR, please see our guidance on controllers and processors.
A processor may be contractually liable to the controller for any failure to meet the terms of their agreed contract. This will of course depend on the exact terms of that contract.
It will also be subject to the relevant investigative and corrective powers of a supervisory authority (such as the ICO) and may be subject to administrative fines or other penalties.
An individual can also bring a claim directly against a processor in court. A processor can be held liable under Article 82 to pay compensation for any damage caused by processing, including non-material damage such as distress. A processor will only be liable for the damage if:
- it has failed to comply with GDPR provisions specifically relating to processors; or
- it has acted without the controller’s lawful instructions, or against those instructions.
It will not be liable if it can prove it is not responsible for the event giving rise to the damage.
If a processor is required to pay compensation, but is not wholly responsible for the damage, it may be able to claim back from the controller, the share of the compensation for which they are responsible. Both parties should seek professional legal advice on this.
If you are a sub-processor, you will be liable for any damage caused by your processing only if you have not complied with the GDPR obligations imposed on processors or you have acted contrary to lawful instructions from the controller, relayed by the processor, regarding the processing.
If you are a processor and use a sub-processor to carry out processing on your behalf, you will be fully liable to the controller for the sub-processor’s compliance with its data protection obligations. This means that, under Article 82(5), if a sub-processor is at fault, the controller may claim back compensation from you for the sub-processor’s failings. You may then claim compensation back from the sub-processor.
A sub-processor may also be contractually liable to the processor for any failure to meet the terms of the agreed contract. This will of course depend on the exact terms of that contract.
Processors and sub-processors should seek their own legal advice on issues of liability and the contracts between controllers and processors and processors and sub-processors.