A processor is an organization or individual that processes personal data on behalf of a controller. The term processor does not include a person employed by the controller who processes personal data as a part of the work assignments, but refers to a body, to whom the processing of personal data is outsourced. A processor may be, for instance, an accountant, an IT service provider or an advertising agency, which processes personal data on behalf of another company. The processor may only process data in accordance with the purposes defined by the controller. The processor cannot start to utilize personal data obtained by the controller for its own purposes through defining new purposes and means for the processing.
Outsourcing of processing activities must always be agreed on in a written contract. The minimum content of such contract is set out in the GDPR. Subcontracting is not possible without permission of the controller, and the processor is responsible for the actions of a sub-processor as for its own. The processor shall always:
comply with regulations concerning international transfers of data
enforce appropriate technical and organizational security measures
conclude a data processing agreement with the controller
assist the controller
co-operate with the national supervisory authority
The controller and the processor of personal data must document the processing tasks performed within their responsibility. The processor is also directly liable for sanctions, in the event of non-compliance with the above obligations. Moreover, the controller must implement adequate safeguards and organizational measures. These include, for example, instructing the employees, self-monitoring of the use of data, information security measures for data systems as well as further safeguards in order to protect the data.
Disclosure of personal data means the act of providing personal data to a third party, which uses the data for its own purposes and not on behalf of the controller. Consequently, outsourcing of personal data is not defined as disclosure of data. The right of the controller to disclose personal data to parties outside the own organization is regulated in the GDPR. Before disclosing personal data to third parties, the controller must make sure that the receiver has a legal ground for processing the data in accordance with the GDPR.