The basic concept of controllers and processors under the GDPR is not new. It’s very similar to the previous concept of data controllers and data processors under the Data Protection Act 1998 (“the 1998 Act”).
However, one significant change is that the GDPR now imposes some obligations directly on processors, as well as on controllers.
The GDPR imposes obligations directly on processors. This is a significant change from the position under the 1998 Act. For the first time, processors have specific obligations towards individuals and are directly subject to regulation by the ICO. For example, processors are required to:
- maintain a record of all categories of processing activities they carry out a controller’s behalf;
- keep personal data secure; and
- assist the controller in complying with certain obligations (such as security, notifications of personal data breaches, and data protection impact assessments).
The GDPR also sets out minimum terms that a controller must impose on its processor by contract.
For the first time, processors are directly subject to the prohibition on transferring personal data outside the EEA.