Definition
Under the General Data Protection Regulation, a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller, acting only on the controller's documented instructions.
UK Context
Best Practices
- Execute comprehensive data processing agreements with all third-party providers that handle employee personal data
- Conduct due diligence on processors' security measures, certifications, and data breach history before engagement
- Maintain an inventory of all processors and sub-processors that access or handle employee data
- Review sub-processor lists regularly and exercise contractual rights to object to new sub-processors where appropriate
- Ensure contracts address data return or deletion obligations at the end of the service relationship
Frequently Asked Questions
What is a data processing agreement and when is it required?
A data processing agreement (DPA) is a binding contract between a controller and a processor that sets out the terms of data processing. It is required under Article 28 of the GDPR whenever a controller engages a processor to handle personal data. The DPA must specify the subject matter, duration, nature, and purpose of processing, as well as the processor's obligations.
Can a data processor be fined directly under the GDPR?
Yes. While controllers bear primary compliance responsibility, processors can be fined directly for breaching their specific obligations, such as failing to implement adequate security measures, processing data beyond the controller's instructions, or failing to appoint a data protection officer when required. Fines can reach up to 20 million euros or four per cent of annual worldwide turnover.
What happens to employee data when a processor contract ends?
The GDPR requires processors to delete or return all personal data to the controller after the end of the provision of services, and delete existing copies unless EU or member state law requires storage. The DPA should specify which option applies and the timeframe for deletion or return.