The data processors are extremely important in personal data management and it is essential to have a dedicated section to their management.
This is not always a mandatory role and the decision is always an "optional" choice for the data controller.
The latter may consider, after appropriate considerations, that a processing of personal data, due to its complexity and characteristics, requires the intervention of additional technical and organizational resources.
In this case, it will contact another subject (company, person or service) who will have the task of assisting in the processing of personal data that has been conferred to it.
With UTOPIA you can specify, if any, who the data processors are, in which processing operations they are involved and upload the relevant documentation such as, for example, the designation contract and the security measures used.
The data processor, unlike the data controller, has no decision-making autonomy with respect to the processing operations it is involved in, but is limited, as defined in the contract, to supporting the data controller from both a technical and operational point of view with the resources and tools available, whether they are the property of the data controller or the data processor.
The European regulation on personal data protection, fully applicable from May 2018, specify that the data processor "processes personal data on behalf of the controller", but does not decide its "purposes and tools", i.e. how and why to process them.
For the controller, it is extremely important to rely exclusively on roles able to demonstrate compliance with the rules by paying attention to security measures, both technical and organizational.
Before choosing the data processor, it will be necessary to:
Just go to the Organizations > Processors section, click the (+) button and enter the company name, VAT number, sector in which it operates and the activities it is responsible for.
Once the right figure has been identified, it will also be necessary to regulate the relationship with a contract or other legal act, which must contain:
You can also upload the designation contract by clicking Import from file button, and specifying name, creation and expiration date.
Furthermore, you can use an existing template by clicking the button Create the DPA (Data Processing Agreement).
Finally, if not forbidden by the agreement with the controller, the data processor may refer to other figures called sub-data processors.
Before designating or replacing them, the processor must inform the controller. The data processor shall also be responsible for any failure made by the sub-data processor concerning the processing operations.
You can also create a processor specifying that it acts as a sub-processor.
The sub-data processors recurs for many types of processing operations and it is essential that each data controller is able to record them and, if necessary, object to its designation or replacement.
It is widely believed that it is always the controller the only one exclusively responsible – they are certainly involved first and foremost – but this does not mean that the processor cannot be too.
In certain cases, the latter will also be liable for the damage caused, for example if they fail to comply with their obligations or if they act in a manner that is inconsistent with or contrary to the controller’s instructions on the processing operation for which they are responsible. But not only then.
Even the omitted information required by the regulation expose the data processor to any joint liability with respect to the controller. It will be exempt only if it can demonstrate that the harmful event to which the data subject has been exposed is not attributable to it in any way.