The Data Processor
The Data Processor
The Data Processor (also referred to as the Processor or the Processor or ET), as a legal figure established in Article 6 of the European Data Protection Regulation (GDPR), defines it as the natural or legal person who processes personal data on behalf of the controller.
Following on from the above, the data controller (also referred to as the Controller or RT) is the natural or legal person who determines the purposes and means of processing personal data.
That is to say, the company or professional that in the development of its activity treats personal data of its customers, workers, job applicants, etc., hires the services of a supplier to delegate certain functions that involve the processing of personal data. That supplier will be the Data Processor.
An example of a processor would be an employment consultant who manages the payroll and social security of the employees of the controller. Another example would be the provider of IT solutions, such as data storage in the cloud.
Obligations of the Controller and the Processor
According to Article 28 of the GDPR, the controller shall only choose a Processor that provides sufficient guarantees that the data processing is in compliance with the requirements of the GDPR.
Another of the obligations established in this article is that the relationship between the controller and the processor shall be governed by a contract which, among other requirements, shall establish the purpose of the data processing, the type of personal data and categories of data subjects to be processed, as well as the obligations of the processor, including making available to the person in charge all the information necessary to demonstrate compliance with its obligations, as well as allowing and contributing to the performance of audits, including inspections, by the person in charge or by another auditor authorized by said person in charge.
In addition to the provisions of the RGPD, the content of this contract will have to contemplate the different directives issued by the European Commission, as established in article 28.7 of the RGPD, as well as the particularly established in the event that international data transfers are carried out.
To have data protection advice
In order for the relationship between controller and processor to comply with the legal requirements of the RGPD and other decisions by the European Commission, recommendations of the AEPD and other data protection control bodies, it pays to have a data protection company, or data protection consultants such as Business Adapter data protection.