Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Paragraph 1.3.6 The processor must assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (Art. 28 (3) (f) GDPR)
130. It is necessary for the contract to avoid merely restating these duties of assistance: the agreement should contain details as to how the processor is asked to help the controller meet the listed obligations. For example, procedures and template forms may be added in the annexes to the agreement, allowing the processor to provide the controller with all the necessary information.
131. The type and degree of assistance to be provided by the processor may vary widely “taking into account the nature of processing and the information available to the processor”. The controller must adequately inform the processor as to the risk involved in the processing and as to any other circumstance that may help the processor meet its duty.
132. Moving on to the specific obligations, the processor has, first, a duty to assist the controller in meeting the obligation to adopt adequate technical and organisational measures to ensure security of processing. While this may overlap, to some extent, with the requirement that the processor itself adopts adequate security measures, where the processing operations of the processor fall within the scope of the GDPR, they remain two distinct obligations, since one refers to the processor’s own measures and the other refers to the controller’s.
133. Secondly, the processor must assist the controller in meeting the obligation to notify personal data breaches to the supervisory authority and to data subjects. The processor must notify the controller whenever it discovers a personal data breach affecting the processor’s or a sub-processor’s facilities / IT systems and help the controller in obtaining the information that need to be stated in the report to the supervisory authority. The GDPR requires that the controller notify a reach without undue delay in order to minimize the harm for individuals and to maximize the possibility to address the breach in an adequate manner. Thus, the processor’s notification to the data controller should also take place without undue delay. The EDPB recommends that there is a specific time frame of notification (e.g. number of hours) and the point of contact for such notifications be provided in the contract. The contract should finally specify how the processor shall notify the controller in case of a breach.
134. Furthermore, the processor must also assist the controller in carrying out data protection impact assessments when required, and in consulting the supervisory authority when the outcome reveals that there is a high risk that cannot be mitigated.
135. The duty of assistance does not consist in a shift of responsibility, as those obligations are imposed on the controller. For instance, although the data protection impact assessment can in practice be carried out by a processor, the controller remains accountable for the duty to carry out the assessment and the processor is only required to assist the controller “where necessary and upon request.” As a result, the controller is the one that must take the initiative to perform the data protection impact assessment, not the processor.