According to the GDPR, ‘data processor’ is an entity (person, office, organization) that processes personal data on behalf of the data controller. For example, it may be an accounting firm, a payroll company or marketing company who is processing customers’ personal data.
Data processor processes personal data on the basis of a written agreement on the processing of personal data concluded with the data controller. Still, the controller stays responsible for the data processing. Therefore, the data processor should be very carefully chosen - should provide sufficient security guarantees for the processing of personal data.
What can the processor do with personal data?
The processor may only perform such activities and operations that have been entrusted to him by the the data controller and that are stipulated in their agreement.
What are the obligations of the personal data processor?
Although the primary responsibility lies with the controller, the processor is obliged to properly secure the personal data being processed and to comply with reasonable organizational and technical countermeasures so that personal data are not put at risk.
In case the processor finds out that the controller is in breach of the obligations stipulated by the law, it is his duty to inform the controller and stop the processing of personal data. Failing to do so, the controller shall be liable for any damage caused to data subjects along with the administrator.