- What are your responsibilities as a processor?
- Can a processor be held liable for non-compliance?
- Can you sub-contract to another processor?
- How does using a sub-processor affect liability for non-compliance?
Processors have less autonomy and independence over the data they process, but they do have several direct legal obligations under the GDPR and are subject to regulation by supervisory authorities. If you are a processor, you have the following obligations.
- Controller’s instructions: you can only process the personal data on instructions from a controller (unless otherwise required by law). If you act outside your instructions or process for your own purposes, you will step outside your role as a processor and become a controller for that processing.
- Processor contracts: you must enter into a binding contract with the controller. This must contain a number of compulsory provisions, and you must comply with your obligations as a processor under the contract. For more information please read our guidance on contracts.
- Sub-processors: you must not engage another processor (ie a sub-processor) without the controller’s prior specific or general written authorisation. If authorisation is given, you must put in place a contract with the sub-processor with terms that offer an equivalent level of protection for the personal data as those in the contract between you and the controller.
- Security: you must implement appropriate technical and organisational measures to ensure the security of personal data, including protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access. For more information please read our guidance on security.
- Notification of personal data breaches: if you become aware of a personal data breach, you must notify the relevant controller without undue delay. Most controllers will expect to be notified immediately, and may contractually require this, as they only have a limited time in which to notify the supervisory authority (such as the ICO). You must also assist the controller in complying with its obligations regarding personal data breaches. For more information please read our guidance on personal data breaches.
- Notification of potential data protection infringements: you must notify the controller immediately if any of their instructions would lead to a breach of the GDPR or local data protection laws.
- Accountability obligations: you must comply with certain GDPR accountability obligations, such as maintaining records and appointing a data protection officer. For more information please read our guidance on accountability and governance.
- International transfers: the GDPR’s prohibition on transferring personal data outside the EEA applies equally to processors as it does to controllers. This means you must ensure that any transfer outside the EEA is authorised by the controller and complies with the GDPR’s transfer provisions. For more information please read our guidance on international transfers.
Appointing a representative within the European Union: if you are based outside the EU but are involved in offering services to or monitoring individuals inside the EU, you may need to appoint a representative in the EU.
Co-operation with supervisory authorities: you are also obliged to cooperate with supervisory authorities (such as the ICO) to help them perform their duties.
Yes. You will be subject to the relevant investigative and corrective powers of a supervisory authority (such as the ICO) and may be subject to administrative fines or other penalties.
You may also be contractually liable to the controller for any failure to meet the terms of your agreed contract. This will of course depend on the exact terms of that contract.
An individual can also bring a claim directly against you in court. You can be held liable under Article 82 to pay compensation for any damage caused by processing (including non-material damage such as distress). You will only be liable for the damage if:
- you have failed to comply with GDPR provisions specifically relating to processors; or
- you have acted without the controller’s lawful instructions or against those instructions.
You will not be liable if you can prove you are not in any way responsible for the event giving rise to the damage.
If you are required to pay compensation but are not wholly responsible for the damage, you may be able to claim back from the controller, the share of the compensation for which they were liable. Both parties should seek professional legal advice on this.