Third Party Processing under GDPR

Even though the data subjects and the data controllers are at the heart of the General Data Protection Regulation, the processors are also affected by the regulation. Who is a processor? one may ask. Well, as per Article 4 of GDPR, a processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

For instance, if a person provides his details to the HR Department of a company and the company forwards the same to another entity for a background check, then the HR department would be the data controller and the entity doing the background check would be the data processor. The data controller calls the shots on how and why is the personal data being used, as long as this, of course, happens in a GDPR compliant way.


Now that we have understood the difference between a data controller and a data processor, the question that needs to be answered is whether the data processors would also be subjected to the penalty under GDPR. The answer to the question is in the affirmative. GDPR gives the right to a data subject to claim compensation from a data controller or a processor for violation of his or her rights. Therefore, the data processors also need to prepare for compliance with this regulation.

For the data processors to be compliant with GDPR, the first thing that they need to know is what are their duties under the regulation. Broadly speaking, a data processor has to perform the following duties:

  • It should enter into a legally binding contract with the data controller which gives him the authority to process an individual’s data on behalf of the controller.
  • It should ensure that it does not engage another processor without prior authorisation from the controller. In case data processors further engage the services of another processor, another legally binding contract should be executed with the third entity that would link it to the data controller. In short, ensure that proper legal contracts are executed before outsourcing the processing activities.
  • Offer guarantees in relation to the implementation of appropriate technical and organizational measures for safeguarding the rights of the data subjects. Data processors should ensure that all their tools, products, applications or services, must respect the principles of data protection by design and by default.
  • Appoint a Data Protection Officer to have an expert in charge of the concrete implementation and safeguard compliance with GDPR.
  • Adhere to the code of conduct and certification requirements set out in GDPR.
  • If the data processor is based outside the territory of the European Union, it should appoint a representative in the European Union.

Data Processors should ensure that the contracts that they execute with the Data Controllers set out, among other things:

  • the subject matter of the processing;
  • the duration of the processing;
  • the nature of the processing;
  • the purpose of the processing;
  • the type of personal data that is processed;
  • the categories of data subjects;
  • the obligations and rights of the controller.

The data processors have specific obligations towards the data controllers which include:

  • A guarantee of confidentiality while processing the personal data outsourced buy the data controllers.
  • Implementation of technical and organizational measures that ensure a level of security appropriate to the risk.
  • Deletion or return of all personal data to the data controller after the termination of arrangement.
  • Allowing the data controller to carry out audits, inspections, etc., and contribute to these checks.
  • Informing the data controller, without undue delay, if under the data processor’s opinion, the data controller’s instructions infringe provision of GDPR or other Union or Member State law.

Considering that the data processors also need to ensure that the processing conducted by them meets the requirements set in GDPR and ensure the protection of the data subjects’ rights, it is important for them to keep track of all the data and all the processing activities. Therefore, processors should also prepare a data inventory. We have dealt with the creation of a data inventory in our previous article. Further, since the data processors are not in direct contact with the data subjects, they should routinely check with the data controllers if any request pertaining of processing of his or her data has been made by a data subject. This would add to due diligence on the part of the data processors.

It is noteworthy that the principles relating to the processing of personal data apply to processors and controllers alike. Therefore, the data processor has to follow similar GDPR rules as the data controller. So for a data processor to be compliant with GDPR, it would have to take similar measures as a data controller. You may refer to our previous articles to know what these measures may be.