How to manage the data processor?

The data processors are extremely important in personal data management and it is essential to have a dedicated section to their management.

They support the Data Controller in case of complex processing operations

This is not always a mandatory role and the decision is always an "optional" choice for the data controller.

The latter may consider, after appropriate considerations, that a processing of personal data, due to its complexity and characteristics, requires the intervention of additional technical and organizational resources.

In this case, it will contact another subject (company, person or service) who will have the task of assisting in the processing of personal data that has been conferred to it.

With UTOPIA you can specify, if any, who the data processors are, in which processing operations they are involved and upload the relevant documentation such as, for example, the designation contract and the security measures used.

Differences from the Data Controller

The data processor, unlike the data controller, has no decision-making autonomy with respect to the processing operations it is involved in, but is limited, as defined in the contract, to supporting the data controller from both a technical and operational point of view with the resources and tools available, whether they are the property of the data controller or the data processor.

The European regulation on personal data protection, fully applicable from May 2018, specify that the data processor "processes personal data on behalf of the controller", but does not decide its "purposes and tools", i.e. how and why to process them.

For the controller, it is extremely important to rely exclusively on roles able to demonstrate compliance with the rules by paying attention to security measures, both technical and organizational.

Before choosing the data processor, it will be necessary to:

• ‍Evaluate their company's data protection policy, the security measures they have adopted and the privacy management system they have implemented.‍
• Regulate, by contract, the relationship established with the controller by defining the activities, terms and scope of the processing that will be delegated.
• Adopt an internal procedure for verifying compliance with the terms of the agreement between the two parties, with the functions and instructions given to the processor.

How to add them in UTOPIA

Just go to the Organizations > Processors section, click the (+) button and enter the company name, VAT number, sector in which it operates and the activities it is responsible for.

Once the right figure has been identified, it will also be necessary to regulate the relationship with a contract or other legal act, which must contain:

• The subject and duration of the processing entrusted to the controller.
• Nature and purpose of the processing, where the data originate and the reason for the processing.
• Types of personal data processed, whether they are, for example, common, economic, biometric or other types of data.
• The categories of data subjects, i.e. all the natural persons to whom the data relates to.
• The operating instructions to proceed with the processing operations.

You can also upload the designation contract by clicking Import from file button, and specifying name, creation and expiration date.

Furthermore, you can use an existing template by clicking the button Create the DPA (Data Processing Agreement).

Finally, if not forbidden by the agreement with the controller, the data processor may refer to other figures called sub-data processors.

Before designating or replacing them, the processor must inform the controller. The data processor shall also be responsible for any failure made by the sub-data processor concerning the processing operations.

You can also create a processor specifying that it acts as a sub-processor.

The sub-data processors recurs for many types of processing operations and it is essential that each data controller is able to record them and, if necessary, object to its designation or replacement.‍

The obligations of the Data Processor

• Transparency towards the data controller who has entrusted it to manage the data.
• Adoption of security measures, making them available to the controller at least through a detailed document.
• Establishing with the controller appropriate technical and organizational measures to comply the regulation and instructions.
• Allowing review and inspection activities carried out by the controller, alerting if instructions received violate data protection legislation and facilitate the processing of requests from data subjects also with regard to the exercise of their rights.
• Building the register of processing operations carried out on behalf of the controller and, where required, making it available to the supervisory authority as requested by Article 30 of the GDPR.
• In case of a data breach, they shall inform the controller as soon as possible so that the latter can proceed with any data breach handling procedure.
• Where applicable, designate a Data Protection Officer or his or her representative.
• Once the relationship with the data controller has ended, the data processor must delete all personal data held by it that is related to the processing operations that are no longer carried out.

When is the Data Processor also legally responsible?

It is widely believed that it is always the controller the only one exclusively responsible – they are certainly involved first and foremost – but this does not mean that the processor cannot be too.

In certain cases, the latter will also be liable for the damage caused, for example if they fail to comply with their obligations or if they act in a manner that is inconsistent with or contrary to the controller’s instructions on the processing operation for which they are responsible. But not only then.

Even the omitted information required by the regulation expose the data processor to any joint liability with respect to the controller. It will be exempt only if it can demonstrate that the harmful event to which the data subject has been exposed is not attributable to it in any way.