Broadly speaking a data processor has the same obligations as a data controller, however there are some nuances which should be noted.
Processors must also:
- Perform only the processing defined by the data controller (or legal requirements)
- The processor needs to obtain the written consent of the data controller before it can appoint a sub-processor
- The same rules and constraints about personal data in the controller/processor contract must be duplicated in any contracts with sub-processors
There are circumstances where the data processor must update
the data controller of events:
- If the processor anticipates that the controller’s instructions and operations
will conflict with the GDPR’s requirements or laws of the EU Member state under
question, the processor is obliged to inform the data controller immediately,
without any undue delay
- Processors must notify any data breach to the Data Controller immediately, without delay and must assist the controller in handling the breach
- Processors must notify the Data Controller of any data subjects rights request immediately, without delay and must assist the controller in handling the breach.
A significant requirement is that Data Controller / Data Processor relationships must have a contract in place.