In detail 

What are your responsibilities as a processor?

Processors have less autonomy and independence over the data they process, but they do have several direct legal obligations under the GDPR and are subject to regulation by supervisory authorities. If you are a processor, you have the following obligations.

  • Controller’s instructions: you can only process the personal data on instructions from a controller (unless otherwise required by law). If you act outside your instructions or process for your own purposes, you will step outside your role as a processor and become a controller for that processing.
  • Processor contracts: you must enter into a binding contract with the controller. This must contain a number of compulsory provisions, and you must comply with your obligations as a processor under the contract. For more information please read our guidance on contracts.
  • Sub-processors: you must not engage another processor (ie a sub-processor) without the controller’s prior specific or general written authorisation. If authorisation is given, you must put in place a contract with the sub-processor with terms that offer an equivalent level of protection for the personal data as those in the contract between you and the controller.
  • Security: you must implement appropriate technical and organisational measures to ensure the security of personal data, including protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access. For more information please read our guidance on security.
  • Notification of personal data breaches: if you become aware of a personal data breach, you must notify the relevant controller without undue delay. Most controllers will expect to be notified immediately, and may contractually require this, as they only have a limited time in which to notify the supervisory authority (such as the ICO). You must also assist the controller in complying with its obligations regarding personal data breaches. For more information please read our guidance on personal data breaches.
  • Notification of potential data protection infringements: you must notify the controller immediately if any of their instructions would lead to a breach of the GDPR or local data protection laws.
  • Accountability obligations: you must comply with certain GDPR accountability obligations, such as maintaining records and appointing a data protection officer. For more information please read our guidance on accountability and governance.
  • International transfers: the GDPR’s prohibition on transferring personal data outside the EEA applies equally to processors as it does to controllers. This means you must ensure that any transfer outside the EEA is authorised by the controller and complies with the GDPR’s transfer provisions. For more information please read our guidance on international transfers.
  • Appointing a representative within the European Union: if you are based outside the EU but are involved in offering services to or monitoring individuals inside the EU, you may need to appoint a representative in the EU.Co-operation with supervisory authorities: you are also obliged to cooperate with supervisory authorities (such as the ICO) to help them perform their duties.     

Can a processor be held liable for non-compliance?

Yes. You will be subject to the relevant investigative and corrective powers of a supervisory authority (such as the ICO) and may be subject to administrative fines or other penalties.

You may also be contractually liable to the controller for any failure to meet the terms of your agreed contract. This will of course depend on the exact terms of that contract.  

An individual can also bring a claim directly against you in court. You can be held liable under Article 82 to pay compensation for any damage caused by processing (including non-material damage such as distress). You will only be liable for the damage if:

  • you have failed to comply with GDPR provisions specifically relating to processors; or
  • you have acted without the controller’s lawful instructions or against those instructions.

You will not be liable if you can prove you are not in any way responsible for the event giving rise to the damage.

If you are required to pay compensation but are not wholly responsible for the damage, you may be able to claim back from the controller, the share of the compensation for which they were liable. Both parties should seek professional legal advice on this.

 

Can you sub-contract to another processor?

If you wish to use a sub-processor, you must obtain the controller’s written authorisation. The authorisation can be specific or general. Specific authorisation means the controller must approve the particular sub-processor for the particular processing operation in question. General authorisation means:

  • the controller pre-approves a list of potential sub-processors; or
  • the controller approves a list of criteria that you can use to select and appoint a sub-processor.
    If you have general authorisation, you must inform the controller if you wish to make any changes to the list of possible sub-processors or criteria for choosing a sub-processor, and give the controller a chance to object.
    You must send the controller any proposed changes in writing, setting out the date by which the controller should raise any objections. The controller should also respond in writing and explain the reasons for any objections. Remember you can only act on the controller’s instructions.

If you have written authorisation, you may appoint the sub-processor but must put in place a contract with the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those in the contract between you and the controller.

The fact that you may sub-contract some or all of the processing activities you have been engaged to perform does not make you a controller in your own right, as overall control of the processing remains with the original controller. However, you will be liable to the controller for the sub-processor’s compliance.

How does using a sub-processor affect liability for non-compliance?

If you are a sub-processor, you will be liable for any damage caused by your processing only if you have not complied with the GDPR obligations imposed on processors or you have acted contrary to the controller’s lawful instructions, relayed by the processor, regarding the processing.

If you are a processor and use a sub-processor to carry out processing on your behalf, you will be fully liable to the controller for the sub-processor’s compliance. This means that, under Article 82(5), if a sub-processor is at fault, the controller may claim back compensation from you for the failings of the sub-processor. You may then claim compensation back from the sub-processor.

A sub-processor may also be contractually liable to the processor for any failure to meet the terms of their agreed contract. This will of course depend on the exact terms of that contract.
Processors and sub-processors should seek their own legal advice on issues of liability and on the contracts made between controllers and processors and processors and sub-processors.