The 'encargado del tratamiento' is the Spanish term for a data processor under the GDPR. This entity processes personal data on behalf of the data controller, acting under their instructions and without determining the purposes or means of the processing.
In the realm of data protection, the General Data Protection Regulation (GDPR) distinguishes between data controllers and data processors. Understanding the distinct roles and responsibilities of each is crucial for ensuring compliance with this comprehensive European law. This article provides a comprehensive overview of the data processor under the GDPR, outlining their obligations, liabilities, and the essential aspects of their relationship with the data controller.
Defining the Data Processor under GDPR
The GDPR defines a data processor as a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. This definition underscores the processor's role as an entity acting under the direct instruction and authority of the data controller. Unlike the controller, who determines the purposes and means of processing, the processor’s actions are dictated by the controller's specific requirements.
Key Responsibilities of the Data Processor
While the data controller bears the primary responsibility for GDPR compliance, data processors are subject to a range of obligations designed to safeguard personal data and ensure accountability. These obligations include:
- Processing data only on documented instructions from the controller: The processor must adhere strictly to the controller’s documented instructions and shall not process data for any other purpose without explicit authorization.
- Implementing appropriate technical and organizational measures: Processors are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access.
- Ensuring confidentiality: Processors must ensure that individuals authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Assisting the controller in fulfilling its obligations: This includes assisting the controller in responding to data subject requests, such as requests for access, rectification, erasure, or portability.
- Notifying the controller of a data breach: Processors must notify the controller without undue delay after becoming aware of a personal data breach.
- Maintaining records of processing activities: Processors are required to maintain records of processing activities carried out on behalf of the controller, including the categories of processing activities performed, the controller’s name and contact details, and, where applicable, the details of the Data protection officer (DPO).
- Cooperating with supervisory authorities: Processors must cooperate with supervisory authorities, such as the Information Commissioner’s Office (ICO) in the UK, in the performance of their tasks.
- Data protection impact assessment (DPIA)s (DPIAs): Processors are obligated to assist the controller in carrying out DPIAs where the processing is likely to result in a high risk to the rights and freedoms of natural persons.
The Data Processing Agreement
Article 28 of the GDPR mandates that the relationship between the data controller and the data processor is governed by a contract or other legal act. This agreement, often referred to as a Data Processing Agreement (DPA), must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. A well-drafted DPA is essential for clarifying responsibilities, allocating liabilities, and ensuring GDPR compliance.
Key provisions that should be included in a DPA include:
- Detailed description of the processing activities.
- Security measures implemented by the processor.
- Data breach notification procedures.
- Audit rights of the controller.
- Obligations regarding data deletion or return upon termination of the agreement.
- Sub-processing arrangements (if any), including the requirement for the processor to impose equivalent data protection obligations on any sub-processors.
Liability of the Data Processor
Under Article 82 of the GDPR, data processors can be held liable for damages caused by processing that infringes the Regulation. Specifically, a processor can be held liable if it has processed data in a manner contrary to the controller’s lawful instructions or has failed to comply with the specific obligations of the GDPR directed at processors. This liability underscores the importance of processors fulfilling their obligations diligently and maintaining robust data protection practices.
Selecting a Data Processor
Controllers must exercise due diligence when selecting a data processor, ensuring that the processor provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. This assessment should consider factors such as the processor’s data security practices, certifications (e.g., ISO 27001), and track record of compliance.
Legal Perspective 2026
As we move towards 2026, the regulatory landscape surrounding data Privacy is expected to further intensify. The GDPR will likely see increased enforcement, with supervisory authorities taking a more proactive approach in auditing and penalizing non-compliant organizations. Data processors will face greater scrutiny regarding their adherence to data processing agreements and their implementation of robust security measures. Moreover, the evolving interpretation of Article 28 concerning data processing agreements will necessitate careful review and updating of existing contracts to ensure ongoing compliance. Furthermore, the rise of artificial intelligence (AI) and machine learning (ML) will introduce new challenges in data processing, requiring processors to develop sophisticated mechanisms to address bias, ensure transparency, and protect against Privacy risks associated with these technologies. Processors that invest in advanced data protection technologies, comprehensive training programs, and proactive compliance strategies will be best positioned to navigate this evolving legal environment and maintain the trust of their clients and data subjects.