Processor
Key References:
- GDPR Art. 4(8) definition
- GDPR Arts. 27-28, 32-33
- GDPR Art. 30 (ROPA requirements)
- Accountability obligations
- In the matter of WhatsApp Ireland Limited (DPC Inquiry Reference: IN-18-12-2)
Breaking down the definition of processor under Art. 4(8):
- a natural or legal person,
- public authority, agency or other body
- which processes personal data on behalf of the controller;
Obligations and requirements for processors:
- Art. 27: Processors outside the EU are required to designate a representative in the Union
- Art. 27(2)(a) exempts processors outside the Union who are engaged in processing which is occasional, does not include, on a large scale, processing of special categories of data, or processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
- Note: the exemption is multi-layered and extensive.
- Arts. 28-29: List specific obligations on the processor and controller working relationship. Notable requirements include:
- a binding, written, legal contract between the controller and processor;
- processor to guarantee processing of data including transfer of data to third countries only under instructions from controller;
- processor to fulfill controller’s obligations on data subject’s rights and cooperation with supervisory authorities;
- processor to require controller’s authorization prior to engaging sub-processors;
- processor to implement appropriate technical and organisational measures to meet GDPR requirements;
- stipulations on whether processor to store, delete or return all personal data to the controller at the end of the contract.
- Art 28(10): “if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing”.
- Pursuant to this, a processor can become a controller depending on their activity. Therefore, a mere contractual designation as processor would not suffice.
- Art. 30(2): Lists mandatory obligations on processors to maintain written records of processing activities (ROPA). This are transparency obligations such as listing details on processor and controllers, categories of personal data processed, international transfers of data and security practices.
- Art. 32: Lists data security related obligations on processors, notably that processor should implement appropriate technical and organisational measures, and pseudonymise and encrypt personal data when appropriate.
- Art. 33: Contains obligation on processor to notify controller of personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”.
In the matter of WhatsApp Ireland Limited (DPC Inquiry Reference: IN-18-12-2)
- The DPC held that when WhatsApp processed the phone numbers of non-users which were uploaded on its app by its users, WhatsApp acted as a controller for the non-users.
- WhatsApp argued that it was a processor of the non-users on behalf of its users who controlled their address books and uploaded non-users’ phone numbers on WhatsApp.
- However, the DPC explained that pursuant to Arts. 4(7) and 28(3), a processor acts on behalf of the controller only by “a contract or other legal act”. Yet, WhatsApp had no legal contract with its users when it collected and processed phone numbers of non-users. Therefore, WhatsApp was a controller and not a processor of non-users’ personal data.
- The determination of controller vs. processor in this case was significant because of the resulting obligations that arise from the determination.