Articles 24-43 of GDPR sets out the responsibilities of processors. We have attempted to summarise them here but recommend you refer to the regulation for the definitive rules.
Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own. Although a processor may make its own day-to-day operational decisions, Article 29 says it should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.
Preignition is a data processor in relation to the personal data that customers collect from Respondents.
Processors have less autonomy and independence over the data they process, but they do have several direct legal obligations under GDPR and are subject to regulation by supervisory authorities. They have the following obligations.
- Controller’s instructions: you can only process the personal data on instructions from a controller (unless otherwise required by law). If you act outside your instructions or process for your own purposes, you will step outside your role as a processor and become a controller for that processing.
- Processor contracts: you must enter into a binding contract with the controller. This must contain a number of compulsory provisions, and you must comply with your obligations as a processor under the contract.
- Sub-processors: you must not engage another processor (ie a sub-processor) without the controller’s prior specific or general written authorisation. If authorisation is given, you must put in place a contract with the sub-processor with terms that offer an equivalent level of protection for the personal data as those in the contract between you and the controller.
- Security: you must implement appropriate technical and organisational measures to ensure the security of personal data, including protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
- Notification of personal data breaches: if you become aware of a personal data breach, you must notify the relevant controller without undue delay. Most controllers will expect to be notified immediately, and may contractually require this, as they only have a limited time in which to notify the supervisory authority. You must also assist the controller in complying with its obligations regarding personal data breaches.
- Notification of potential data protection infringements: you must notify the controller immediately if any of their instructions would lead to a breach of the GDPR or local data protection laws.
- Accountability obligations: you must comply with certain GDPR accountability obligations, such as maintaining records and appointing a data protection officer.
- International transfers: the GDPR's prohibition on transferring personal data applies equally to processors as it does to controllers. This means you must ensure that any transfer outside the UK is authorised by the controller and complies with the GDPR’s transfer provisions.