Visit fondia.com
The content concerns Finnish legislation.

Processors and Disclosure of Data

A processor is an organization or individual that processes personal data on behalf of a controller. The term processor does not include a person employed by the controller who processes personal data as a part of the work assignments, but refers to a body, to whom the processing of personal data is outsourced. A processor may be, for instance, an accountant, an IT service provider or an advertising agency, which processes personal data on behalf of another company. The processor may only process data in accordance with the purposes defined by the controller. The processor cannot start to utilize personal data obtained by the controller for its own purposes through defining new purposes and means for the processing.

Outsourcing of processing activities must always be agreed on in a written contract. The minimum content of such contract is set out in the GDPR. Subcontracting is not possible without permission of the controller, and the processor is responsible for the actions of a sub-processor as for its own. The processor shall always:

  • comply with regulations concerning international transfers of data

  • enforce appropriate technical and organizational security measures

  • conclude a data processing agreement with the controller

  • assist the controller

  • co-operate with the national supervisory authority

The controller and the processor of personal data must document the processing tasks performed within their responsibility. The processor is also directly liable for sanctions, in the event of non-compliance with the above obligations.  Moreover, the controller must implement adequate safeguards and organizational measures. These include, for example, instructing the employees, self-monitoring of the use of data, information security measures for data systems as well as further safeguards in order to protect the data.  

Disclosure of personal data means the act of providing personal data to a third party, which uses the data for its own purposes and not on behalf of the controller. Consequently, outsourcing of personal data is not defined as disclosure of data. The right of the controller to disclose personal data to parties outside the own organization is regulated in the GDPR. Before disclosing personal data to third parties, the controller must make sure that the receiver has a legal ground for processing the data in accordance with the GDPR.  

Related articles

  • Automated Decision-making and Cookies

    Automated decision-making means decision-making without any form of human intervention, that has legal effects on the data subject. The purpose behind the decision must be to assess the characteristics of the data subject, such as professional performance, creditworthiness, reliability or behavior. Since the decision must have legal effects on the data subject or affect the data subject in a significant way, sending a direct marketing ad to the data subject based on a mailing list compiled automatically by a computer does not constitute an automated decision within the meaning of the article.
    Read article

  • Transfers of Personal Data Outside of EU/ETA

    When transferring personal data abroad, attention should be paid to whether the data is being transferred to the EU/EEA member states or outside the EU/EEA. Generally, the transfer of data outside the EU/EEA is only permitted if an adequate level of data protection can be ensured when transferring the data. A transfer of data happens, for example, if the same data controller from within the EU/EEA transfers the collected data or opens an access to it for their office outside the EU/EEA.
    Read article