What responsibilities do controllers have when using a processor?

The controller is responsible for assessing that its processor is competent to process personal data in line with the GDPR’s requirements. This assessment should take into account the nature of the processing and the risks to the data subjects. This is because Article 28(1) says a controller must only use a processor that can provide “sufficient guarantees” (in particular in terms of its expert knowledge, resources and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the GDPR and protects the rights of individuals.

Some examples of the considerations controllers should have when assessing whether the processor provides “sufficient guarantees” could include:

  • the extent to which they comply with industry standards, if these apply in the context of the processing;
  • whether they have sufficient technical expertise to assist the controller, eg in carrying out obligations under Articles 32-36 of the GDPR (technical measures, breach notifications and DPIAs);
  • providing the controller with relevant documentation, eg their privacy policy, record management policy and information security policy; and
  • adherence to an approved code of conduct or a certification scheme (when they become available).

This is not an exhaustive list, and ultimately it is for the controller to satisfy itself that the processor provides sufficient guarantees in the context of the processing. Whether the guarantees are sufficient will depend on both the circumstances of the processing and the risk posed to rights of individuals.

Once the controller has chosen a suitable processor, it must put in place a contract or other legal act that meets all the requirements of Article 28(3) and give the processor documented instructions to follow (either in the contract or separately).

However, the controller’s responsibilities do not end there. Controllers should ensure a processor’s compliance on an ongoing basis, in order for them to satisfy the accountability principle and demonstrate due diligence. In particular, Article 28(3)(h) explicitly requires the processor to allow for and contribute to audits and inspections, carried out either by the controller or a third party appointed by the controller. The methods used to monitor compliance and the frequency of monitoring will depend on the circumstances of the processing.