To ensure compliance with the requirements of the GDPR in respect of the processing to be carried out by the processor on behalf of the controller, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of the GDPR, including for the security of processing.
The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller.
Under the GDPR, processors will be required to comply with a number of specific obligations, including to:
maintain adequate documentation (Article 30);
implement appropriate security standards (Article 32);
carry out routine data protection impact assessments (Article 32);
possibly appoint a data protection officer (Article 37);
comply with rules on international data transfers (Chapter V); and
cooperate with national supervisory authorities (Article 31)
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018