Use of processors

The selection and use of processors is subject to a high duty of care by controllers which will require tender documents and procurement processes to be regularly reviewed.  Written contracts must be put in place (based in part or in full on standard contractual clauses) which sets out:

The contract must stipulate in particular that the processor shall:

Controllers must, therefore, only select a processor that provides sufficient guarantees to implement appropriate technical and organisational measures to ensure the processing complies with the Applied GDPR.

Processors which go beyond the terms of any contract will be a controller and Article 28(10) of the Applied GDPR specifically states that"if a processor infringes this Regulation by determining the purposes and means of data processing, the processor shall be considered to be a controller in respect of that processing."

See: Articles 28 and Recital 81 of the Applied GDPR