After privacy controls have been baked into the software lifecycle, individuals who interact with data on a day-to-day basis can perform their responsibilities without much anxiety if they’re doing something wrong. These individuals are not responsible for implementing the privacy controls, however, they’re responsible for processing data within the boundaries of those controls. GDPR has extensive language about processors and their responsibilities we’ll unpack below. Article 28 is quite long to ensure the processor’s responsibilities are completely understood and required. In contrast, the others are a bit shorter because they apply more to the activities and regulatory compliance of those actions of the processor.
Article 27: Reps of Controllers or Processors not Established in the Union
- Where Article 3 applies, the controller or the processor shall designate in writing a representative in the Union.
- The obligation laid down in paragraph 1 of this Article shall not apply to:
- processing which is occasional does not include, on a large scale, processing of special categories of data as referred to in Article 9 or processing of personal data relating to criminal convictions and offenses referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing; or
- a public authority or body.
- The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.
- The representative shall be mandated by the controller or the processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
- The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Article 28: Processor
- The controller shall only use processors providing sufficient guarantees to implement appropriate technical and organizational measures so that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject.
- The processor shall not engage another processor without prior specific or general written consent from the controller. In the case of general written consent, the processor shall inform the controller of the intended changes associated with adding or replacing a processor. The controller shall be given the opportunity to object to such changes.
- A contract or other legal act under Union or Member State law shall govern the processing actions of the processor. The contract shall include the purpose of the processing, nature of the processing, duration of the processing, the subject matter of the processing, the type of personal data, and categories of data subjects, along with the rights and obligations of the controller. The contract shall stipulate that the processor:
- processes the personal data only on documented instruction from the controller, including the transfer of data to a third country or internationally, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the Processor shall inform the controller of such legal requirement before processing, unless that law prohibits such information on the grounds of public interest;
- ensures a commitment to confidentiality or are under an appropriate statutory obligation of confidentiality;
- takes all measures required pursuant to Article 32
- respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
- assists the controller by appropriate technical and organizational measures, insofar as is possible, for the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III (Articles 12-23);
- assist the controller in ensuring compliance pursuant to Articles 32 and 36 taking into account the nature of the processing;
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires the storage of the personal data;
- makes available to the controller all the information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
- Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular, to provide appropriate technical and organizational measures in such a manner that the processing will meet the requirement of this Regulation. If the other processor fails to meet the obligations required of them, the original processor shall be held liable to the controller for the performance of the other processor.
- Adherence of a processor to an approved code of conduct (Article 40) or an approved certification mechanism (Article 42) may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4.
- Without prejudice to an individual contract between the controller and the processor, the contract pr the other legal act may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8, including when they are part of a certification granted to the controller or processor.
- The Commission may lay down standard contractual clauses for the matters referred to in paragraphs 3 and 4 and in accordance with the examination procedure referred to in Article 93.
- A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraphs 3 and 4 and in accordance with the consistency mechanism in Article 63.
- The contract shall be in writing, including in electronic form.
- Without prejudice to Articles 82, 83, and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered a controller in respect of that processing.
Article 29: Processing Under the Authority of the Controller or Processor
- The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller unless required to do so by Union or Member State law.
Article 30: Records of Processing Activities
- Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer;
- the purpose of the processing;
- a description of the categories of the data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49, the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organizational security measures referred to in Article 32.
- Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- name and contact details of the processor or processors and the controller on behalf of which the processor is acting, and where applicable, the processor’s controller’s representative, and the data protection officer;
- categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49, the documentation of suitable safeguards;
- where possible, a general description of the technical and organizational security measures referred to in Article 32
- The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
- The records shall be made available to the supervisory authority upon request.
- The obligations referred to in paragraphs 1 and 2 shall not apply to any organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedom of data subjects, the processing is not occasional, or the processing includes special categories of data referred to in Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.
Article 31: Cooperating with the Supervisory Authority
- The controller and processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
HOW DOES THIS APPLY TO YOU AND ME?
In general, these articles would only apply to you and me if we were data controllers or data processors in a company. They may have representatives if the organization operates in other Member States besides the one they’re domiciled in, as well as support the controller in all endeavors for the duration of any contract in place between the controller and the processor(s). However, there have been many instances where a private citizen has been the target of a GDPR fine. As recently as May 12th, the Spanish Data Protection Authority (aepd) imposed a fine of EUR 2,000 on a private citizen who shared a video on WhatsApp showing images of a violent attack on the data subject without having obtained the data subject’s consent. So as you can see, even private citizens can’t avoid GDPR fines for sharing private citizen data without their consent. Each data processor must record its processing activities and meet specific requirements detailed in Article 28 above, such as implementing appropriate safeguards over consumer data and adhering to the contract between them and the controller. So if you, in any way, handle data of other consumers that can identify them (Article 4), you are a “processor” or a “controller,” depending on your role in the organization or what data you handle.
To further understand how these acts apply to you and me, we can look at a recent GDPR fine that resulted in violations of articles 28 and 29:
The French Data Protection Authority (DPA) imposed a EUR 1.5 million fine on April 15th, 2022. This fine was one of the largest this year and was in response to DEDALUS BIOLOGIE experiencing a data leak of approximately 500,000 individuals’ data, which included surnames, first names, social security numbers, and names of treating physicians, data on medical examinations, and illnesses of the data subjects. In other words, the company experienced a data breach resulting in the leak of personal health information that was capable of identifying a unique individual (approximately 500,000 to be exact). Article 29 was violated for the organization collecting more information than required. Article 28 was violated because the DPA determined that the contract between DEDALUS and its customers didn’t comply with the requirements set forth in Article 28. The amount of the fine imposed was determined based on the seriousness of the violation, as well as the total number of affected individuals.
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.