Try out and test our new website!

Processor obligations under the General Data Protection Regulation (GDPR)

In addition to contractual obligations set out in GDPR, a processor has the following direct responsibilities under the GDPR. The processor must:

  • only act on the written instructions of the controller
  • not use a sub-processor without the prior written authorisation of the controller
  • cooperate with supervisory authorities (such as the ICO)
  • ensure the security of its processing
  • keep records of its processing activities
  • notify any personal data breaches to the controller
  • employ a data protection officer if required
  • appoint (in writing) a representative within the European Union if required

A processor should also be aware that:

  • it may be subject to investigative and corrective powers of supervisory authorities (such as the Information Commissioner's Office (ICO))
  • if it fails to meet its obligations, it may be subject to an administrative fine
  • if it fails to meet its GDPR obligations it may be subject to a penalty
  • if it fails to meet its GDPR obligations it may have to pay compensation