General Data Protection Regulation: a guide to assist processors

Who does it apply to?

Applicable as from 25 May 2018, the GDPR imposes specific obligations on processors who may be held liable in the event of data breaches.

These obligations apply to all organisations which process personal data on behalf of another body, as part of a service or performance. These are in particular:

• IT service providers (hosting, maintenance, etc.),
• software integrators,
• cybersecurity companies,
• digital service companies (formerly known as IT engineering service companies/SSII in French)who have access to data,
• Marketing or communications agencies that process personal data on behalf of their clients

What should processors do?

Processors are required to comply with specific obligations as regards security, confidentiality and documentation of their activity. They must take the principles of data protection by design and by default into consideration in terms of their service or product and put in place measures which guarantee optimal data protection.

Processors also have a duty to give advice to their clients, on behalf of whom they process data. They must assist them in the implementation of certain obligations created by the GDPR (privacy impact assessment, data breach notifications, security, contribution towards audits).

Processors must keep a record of the processing activities that they have carried out on behalf of their clients.

In some cases, they must designate a data protection officer (DPO) under the same conditions as a data controller.

Presented as a Q&A, the guide also provides an example of sub-contracting clauses to be modified and specified according to the sub-contracted service in question.

This guide is a living tool which may be expanded to take into account the good practices submitted to the CNIL by professionals.