Who is the Data Processor (DP) and what are its responsibilities under the General Data Protection Regulation

The data processor (DP) is an entity that processes personal data for the account, on instruction and under the authority of the Data Controller (DC)-other than the employee of the DC. This enity can be a natural or legal person, public authority, agency or another body. Art. 4 (8) GDPR process Personal Data (PD) on behalf of the Data Controller (DC).

Data Protection Officer (DPO)

The Data Processor (DP) shall access if it is necessary to appoint a Data Protection Officer (DPO) (art. 37 General Data Protection Regulation). If it is the case, provide with the position as set out in art. 38 General Data Protection Regulation. 

Technical & Organisational Measures

The Data Processor (DP) must offer guarantees about the implementation of appropriate technical and organisational measurers meeting all the requirements set in the General Data Protection Regulation and protection of the data subjects’ rights. 


The Data Processor (DP) needs to be appointed by means of a writing contract or other legal act under EU or Member State Law. Binding the Data Processor (DP) to the Data Controller (DC) and its hall govern all the processing activities. 

The contract between the Data Processor (DP) and the Data Controller (DC)

The contract between the Data Processor (DP) and the Data Controller (DC) should set out the subject matter, duration, nature, and purpose of the processing, the type of personal data that is processed, the categories of data subjects and the duties and rights of the Data Controller (DC). 

Document instructions

The Data Processor (DP) must only act upon receipt of the Data Controller’s document instructions (evidence). 

Guarantee Confidentiality

The Data Processor (DP) shall ensure that all its staff processing the personal data are committed to confidentiality duties or other appropriate statutory obligation if confidentiality. 

Security of Processing

The Data Processor (DP) shall ensure that the implementation of technical and organisational measures ensure a level of security appropriates to the risk, in line with art. 32 General Data Protection Regulation. 

Register of Treatments

Unless exempted in line with art, 30 (5) General Data Protection Regulation, the Data Processor (DP) should maintain a register that lists all clients and describes the treatments that its perform on their account. The content is set out in art. 30 (2) General Data Protection Regulation. 

Engaging another Processor

Only if the Data Processor (DP) has the Data Controller (DC)’s authorisation, the nomination is in a written contract or other legal act, has the same duties arranged with the Data Controller (DC), specifies the data protection obligations if the initial Data Processor remains liable. 

Duty of Assistance to the Data Controller (DC)

Considering the nature of the processing, the Data Processor (DP) must assist to respond the data subject’s requests, security processing, the duties in case of a data breach, date protection impact assessment and prior consultation. 

Fata of the Personal Data

Unless otherwise established by EU or Member State law, after the end of provision of the service the Data Processor (DP) shall, at the choice of the Data Controller (DC), delete or return all personal data. 

Demonstrate Compliance

The Data Processor (DP) should make available to the Data Controller (DC) all the necessary information to demonstrate compliance. Allow carrying out audits, inspections, by the Data Controller (DC) or auditor that the Data Controller has mandated, and contribute to these checks. 

Warning and Advice

The Data Processor (DP) must inform the Data Controller (DC) without undue delay if, under this opinion, a Data Controller (DC)’s instruction infringes the General Data Protection Regulation of other Union or Member State data protection law. 

Cooperation with the Supervisory Authority

The Data Processor (DP) should cooperate with the Supervisory Authority with the performance of its tasks. 

Data Processor (DP) established outside the EU

Unless exempted as stated in art. 27 (2) General Data Protection Regulation, the Data Processor (DP) shall designate in writing a representative in the EU to be addressed in all the issues related to the processing for compliance purposes with the General Data Protection Regulation.

Previous Story

Who is the Data Controller (DC) and what are its responsibilities under the General Data Protection Regulation

Next Story

Principles for the Processing of Personal Data under the General Data Protection Regulation

Latest from Data Protection


VAN LEEUWEN LAW FIRM helps its clients to design a clear process in order to proactively

Privacy at Work

VAN LEEUWEN LAW FIRM assists its clients in implementing global data protection agreements as well as