GDPR – EU Regulation on the protection of personal data, which enters into force on 25.05.2018, imposes a number of obligations on entrepreneurs and institutions that collect and process personal data. Responsibility for lawful data processing rests with, among others on PDA, or the Personal Data Administrator. The Regulation does not, however, impose an obligation to carry out these tasks alone. That is why many companies decide to use outside help. The services of the processor can be used by companies and institutions that want to outsource tasks related to the protection and processing of personal data to external entities.
Who is the processor?
The explanation of the term processor should start with emphasizing the separateness of this institution from the Personal Data Administrator. PDA is an authority, unit or person (eg a company employee) who makes decisions about the purposes and means of personal data processing in an enterprise. Therefore, his or her tasks include setting goals and methods of data processing in your own company or institution.
The processor is a completely separate institution. He is also known as a processor, because it is his task to process personal data on behalf of PDA. This means that the processor is not the owner of the data received from the administrator. What’s more, they are transferred for a specific purpose and can only be processed in this way. Entrusting the data to the processor takes place by concluding a contract in writing. Personal Data Administrator, signing the agreement with the processor, loses control over what happens to the shared data, but remains the owner.
Entrusting processing and sharing data – differences
In order to understand what function the processor is capable of, we should realize the difference in understanding the concepts of entrusting the processing of personal data, and sharing them. In the simplest terms, entrustment can be compared to data rental. By sharing data, we go a step further – you can compare it to giving or resale. In the latter case, Personal Data Administrator loses control over the data – the new recipient will decide about their further fate.
Do not forget to sign the contract!
The Personal Data Administrator may, in accordance with the new regulations, entrust data processing to the processor. However, the law precisely defined the manner in which this entrustment is to be made – by concluding a written agreement on the entrustment of data processing.
Such an agreement must contain a number of provisions regarding the method of data processing. These include, among others: the scope and purpose of the processing, the rules of control, the conditions of access to personal data, the ability to subcontract tasks to subcontractors.
Other processor’s obligations
In addition to the issues we mentioned above, the processor has many other responsibilities. One of the most important is certainly implementation right measures to secure entrusted data. This is about preparing your own data processing policy by the processor – and it need to be done even before the start of processing.
The law says that for complying with the rules and performing duties, the processor is liable on the same terms as the Personal Data Administrator. It is this entity that will be fully responsible for actions taken by subcontractors who process data further. After the conclusion of a valid contract, the processor’s liability will also apply to the processing of data in a manner inconsistent with the content of the concluded contract.