Processors
The data protection legislation applies to processors as well as controllers and processors are now subject to greater regulatory and judicial exposure.
The Applied GDPR defines “processors” as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller”. Processors can only process personal data on the written instructions of a controller (contract); if they process the personal data outside the instructions of a controller, the processor will be deemed to be a controller in its own right.
The legislation also applies to processors if they undertake processing on behalf of ANY controller (irrespective of the controllers jurisdiction) and that processing is
“related to:
- The offering of goods and services, irrespective of whether a payment of the data subject is required, to data subjects in the Union [including the Isle of Man]; or
- The monitoring of their behaviour as far as their behaviour takes place within the Union [including the Isle of Man]”
When are processors used?
It is common practice for a controller to engage a processor to process personal data on its behalf – for example, to take advantage of the processor’s expertise and experience in a particular type of processing operation.
Examples:
- A specialist company provides software and data analysis to process the daily pupil attendance records of a state-maintained school for an annual fee. For the software provision the company is not a processor, but for the data analysis it is a processor for the school.
- The readers of a monthly science magazine receive a hard copy delivered to their home. Their subscriptions and the mailings are handled by a separate company at the publisher’s request. The company is a processor for the magazine publisher.
- A marketing company sends promotional vouchers to a hairdresser’s customers on the hairdresser’s behalf. The marketing company is a processor for the hairdresser.
- An organisation uses a cloud service to store and analyse its data. The organisation remains the controller and the cloud service provider is its processor.