Guidelines 07/2020 on the concepts of controller and processor in the GDPR

Paragraph 1.3.1  The processor must only process data on documented instructions from the controller (Art. 28 (3) (a) GDPR)

113. The need to specify this obligation stems from the fact that the processor processes data on behalf of the controller. Controllers must provide its processors with instructions related to each processing activity. Such instructions can include permissible and unacceptable handling of personal data, more detailed procedures, ways of securing data, etc. The processor shall not go beyond what is instructed by the controller.

114. When a processor processes data outside or beyond the controller’s instructions, and this amounts to a decision determining the purposes and means of processing, the processor will be in breach of its obligations and will even be considered a controller in respect of that processing in accordance with Article 28 (10) (see section 1.5 below).

115. Because such instructions must be documented, it is recommended to include a procedure and a template for giving further instructions in an annex to the contract or other legal act. Alternatively, they can be provided in any written form (e.g. e-mail), as long as it is possible to keep records of such instructions. In any event, to avoid any difficulties in demonstrating that the controller’s instructions have been duly documented, the EDPB recommends keeping such instructions together with the contract or other legal act.

116. The duty for the processor to refrain from any processing activity not based on the controller’s instructions also applies to transfers of personal data to a third country or international organisation. The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR.

117. The EDPB recommends that controller pay due attention to this specific point especially when the processor is going to delegate some processing activities to other processors, and when the processor has divisions or units located in third countries. If the instructions by the controller do not allow for transfers or disclosures to third countries, the processor will not be allowed to assign the processing to a sub-processor in a third country, nor will he be allowed to have the data processed in one of his non-EU divisions.

118. A processor may process data other than on documented instructions of the controller when the processor is required to process and/or transfer personal data on the basis of EU law or Member State law to which the processor is subject. This provision further reveals the importance of carefully negotiating and drafting data processing agreements, as, for example, legal advice may need to be sought by either party as to the existence of any such legal requirement. This needs to be done in a timely fashion, as the processor has an obligation to inform the controller of such requirement before starting the processing. Only when that same (EU or Member State) law forbids the processor to inform the controller on “important grounds of public interest”, there is no such information obligation. In any case, any transfer or disclosure may only take place if authorised by Union law, including in accordance with Article 48 of the GDPR.