Data Processor
A Data Processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
This definition stems from Directive 46/95/EC, the Directive which underpins all Data Protection law within the EU.
Arising from the Article 29 Working Group's Opinion of February 2010, there are a number of key factors which distinguish a Data Processor from a Data Controller:
- The Data Processor will be a distinctly separate legal entity. Employees of Data Controllers are not de facto Data Processors, even if they process personal data on behalf of their employer.
- The Data Processor may only perform its duties as a processor of personal data on behalf of a Data Controller for specific mandated purposes. Should the Processor begin to stray beyond the defined scope of those specified purposes they may take on the nature and duties of a Data Controller in their own right.
It is clear therefore that it is in the interests of the Data Processor to ensure that suitable and appropriate contract terms are in place with appropriate and sufficient controls and check points to bring absolute clarity to their relationship with the Data Controller and the specific mandated purposes for which they are processing personal data. The contract terms may include steps to address situations where requests from the Controller exceed the originally defined mandate such as:
- Formal Change Control processes to amend the underlying contract or
- Clear escalation processes where an activity is identified by the Processor as exceeding the original mandate