Guidelines 07/2020 on the concepts of controller and processor in the GDPR
SECTION 1 RELATIONSHIP BETWEEN CONTROLLER AND PROCESSOR
91. A distinct new feature in the GDPR are the provisions that impose obligations directly up on processors. For example, a processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality (Article 28 (3)); a processor must maintain a record of all categories of processing activities (Article 30 (2)) and must implement appropriate technical and organisational measures (Article 32). A processor must also designate a data protection officer under certain conditions (Article 37) and has a duty to notify the controller without undue delay after becoming aware of a personal data breach (Article 33 (2)). Furthermore, the rules on transfers of data to third countries (Chapter V) apply to processors as well as controllers. In this regard, the EDPB considers that Article 28 (3) GDPR imposes direct obligations up on processors, including the duty to assist the controller in ensuring compliance.