In the context of GDPR and other Data Protection regulations, a data processor refers to the actor tasked with defining ‘why’ and ‘how’ personal data should be processed. This term can describe companies and organizations that can be regarded as data processors by the data controller. A data controller in GDPR and other data protection regulations might refer to users who fulfill data controllers’ tasks within a company or organization. Data processors only process data on behalf of the Controller. Therefore, they are usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as a processor for another project.
The responsibilities that the data processor undertakes should be specified contractually. For example, a contract should indicate the retention policies that apply to the personal data once the contract is fulfilled. Typical activities of processors are offering cloud infrastructure solutions, such as storage or computing. The data processor may only outsource some but not all of its tasks to another processor. They can also appoint a joint Processorin in case of prior written authorization from the data controller.
Typical Data Processor Projects
- Design, create and implement data processes and systems to allow the data controller to collect personal data.
- Use tools and strategies to collect personal data.
- Implement security measures to mitigate security risks around personal data.
- Store personal data collected by the data controller.
- Distribute and transfer data from the data controller to other third parties.
It is essential to differentiate between the data controller and the data processor regarding the responsibilities assigned to each of the roles. Suppose an organization or company is involved in the data processing. In that case, it is of paramount importance to establish roles and responsibilities early to avoid any confusion that might lead to data being misused.
Defining clear roles and responsibilities helps ensure no gaps in responsibilities and organizations can deal with incidents such as data breaches and data leakages efficiently and effectively. For instance, in a data breach, the data controller and data processor would limit their risk exposure if they know which role they play and then make sure that they have done everything expected of them.
In some instances, organizations and companies can be data controllers, data processors, or both. It can also be the case that the data processor role is shared with more than one organization. The organization is a joint controller when together with one or more organizations, it jointly determines ‘why’ and ‘how’ companies should process personal data. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. Organizations must communicate the main aspects of the contractual agreement to the individuals whose data is being processed. The third-party data processor does not own the data that they process, nor do they control it. This distinction means that the data processor will not change the purpose and how the data is used. Furthermore, data processors are bound by the instructions given by the data controller.