• Courses
      • Global Series of National Privacy Laws
      • Netherlands Privacy Academy (in Dutch)
      • Caribbean Privacy Academy (in Dutch)
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Global Series of National Privacy Laws
        • Netherlands Privacy Academy (in Dutch)
        • Caribbean Privacy Academy (in Dutch)
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Privacy Guidelines on Data Processor and Data Controller

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
      • Date September 23, 2020

      Guidelines 07/2020 on the concepts of controller and processor in the GDPR

      Paragraph 1.3.1  The processor must only process data on documented instructions from the controller (Art. 28 (3) (a) GDPR)

      113. The need to specify this obligation stems from the fact that the processor processes data on behalf of the controller. Controllers must provide its processors with instructions related to each processing activity. Such instructions can include permissible and unacceptable handling of personal data, more detailed procedures, ways of securing data, etc. The processor shall not go beyond what is instructed by the controller.

      114. When a processor processes data outside or beyond the controller’s instructions, and this amounts to a decision determining the purposes and means of processing, the processor will be in breach of its obligations and will even be considered a controller in respect of that processing in accordance with Article 28 (10) (see section 1.5 below).

      115. Because such instructions must be documented, it is recommended to include a procedure and a template for giving further instructions in an annex to the contract or other legal act. Alternatively, they can be provided in any written form (e.g. e-mail), as long as it is possible to keep records of such instructions. In any event, to avoid any difficulties in demonstrating that the controller’s instructions have been duly documented, the EDPB recommends keeping such instructions together with the contract or other legal act.

      116. The duty for the processor to refrain from any processing activity not based on the controller’s instructions also applies to transfers of personal data to a third country or international organisation. The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR.

      117. The EDPB recommends that controller pay due attention to this specific point especially when the processor is going to delegate some processing activities to other processors, and when the processor has divisions or units located in third countries. If the instructions by the controller do not allow for transfers or disclosures to third countries, the processor will not be allowed to assign the processing to a sub-processor in a third country, nor will he be allowed to have the data processed in one of his non-EU divisions.

      118. A processor may process data other than on documented instructions of the controller when the processor is required to process and/or transfer personal data on the basis of EU law or Member State law to which the processor is subject. This provision further reveals the importance of carefully negotiating and drafting data processing agreements, as, for example, legal advice may need to be sought by either party as to the existence of any such legal requirement. This needs to be done in a timely fashion, as the processor has an obligation to inform the controller of such requirement before starting the processing. Only when that same (EU or Member State) law forbids the processor to inform the controller on “important grounds of public interest”, there is no such information obligation. In any case, any transfer or disclosure may only take place if authorised by Union law, including in accordance with Article 48 of the GDPR.

      • Share:
      author avatar
      Richard V

      Previous post

      Privacy Guidelines on Data Processor and Data Controller
      September 23, 2020

      Next post

      Privacy Guidelines on Data Processor and Data Controller
      September 23, 2020

      You may also like

      Children Safety Encryption www.privacad.com
      Apple’s New Step to Protect Child Abuse via Encryption Feature
      20 August, 2021
      DNA Technology and Privacy www.privacad.com
      DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
      19 August, 2021
      www.privacad.com
      India accuses Twitter of not complying with new IT rules
      18 August, 2021

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2022

      GADPPRO Academy 2022

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now