Third Party Processing under GDPR

Even though the data subjects and the data controllers are at the heart of the General Data Protection Regulation, the processors are also affected by the regulation. Who is a processor? one may ask. Well, as per Article 4 of GDPR, a processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

For instance, if a person provides his details to the HR Department of a company and the company forwards the same to another entity for a background check, then the HR department would be the data controller and the entity doing the background check would be the data processor. The data controller calls the shots on how and why is the personal data being used, as long as this, of course, happens in a GDPR compliant way.


Now that we have understood the difference between a data controller and a data processor, the question that needs to be answered is whether the data processors would also be subjected to the penalty under GDPR. The answer to the question is in the affirmative. GDPR gives the right to a data subject to claim compensation from a data controller or a processor for violation of his or her rights. Therefore, the data processors also need to prepare for compliance with this regulation.

For the data processors to be compliant with GDPR, the first thing that they need to know is what are their duties under the regulation. Broadly speaking, a data processor has to perform the following duties:

  • It should enter into a legally binding contract with the data controller which gives him the authority to process an individual’s data on behalf of the controller.

Data Processors should ensure that the contracts that they execute with the Data Controllers set out, among other things:

  • the subject matter of the processing;

The data processors have specific obligations towards the data controllers which include:

  • A guarantee of confidentiality while processing the personal data outsourced buy the data controllers.

Considering that the data processors also need to ensure that the processing conducted by them meets the requirements set in GDPR and ensure the protection of the data subjects’ rights, it is important for them to keep track of all the data and all the processing activities. Therefore, processors should also prepare a data inventory. We have dealt with the creation of a data inventory in our previous article. Further, since the data processors are not in direct contact with the data subjects, they should routinely check with the data controllers if any request pertaining of processing of his or her data has been made by a data subject. This would add to due diligence on the part of the data processors.

It is noteworthy that the principles relating to the processing of personal data apply to processors and controllers alike. Therefore, the data processor has to follow similar GDPR rules as the data controller. So for a data processor to be compliant with GDPR, it would have to take similar measures as a data controller. You may refer to our previous articles to know what these measures may be.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store