Controller who is also a Processor

According to the GDPR, a processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Article 30 states that a processor must also maintain a Records of Processing Activities carried out on behalf of controllers.

Either entered individually, or using the client import template, GDPR365 has made it much simpler for a processor to manage and produce the information necessary to maintain the Records of Processing Activities.

Getting started

Under Organisation, select Subscription and select the feature ‘My organisation is a processor for other controllers’. This will reveal the ‘Clients’ feature in the Processors section.

What are my first steps?

We recommend that you first create your processing categories.

1. Give the processing category an appropriately descriptive name – e.g. ‘Payroll Run’ or ‘Marketing Automation’ or ‘Software as a Service’ etc.

2. Provide a brief description of the activities

3. Select the country or countries where the processing activities occur

4. Indicate whether the processing is Internal (within your organisation) or External to your organisation – in other words, with other processors

5. If Internal and you have selected countries outside the EU (in 3. above), you must indicate the ‘Export legal basis’ – (which will most likely be Binding Corporate Rules)

6. If External and you have selected countries outside the EU (in 3 above), you must select from your Processors already created in the Processing section.

7. Add any relevant notes and then Save

Next steps?

Add all controllers (your clients) on behalf of whom you process, their representatives and DPO’s details (where applicable), then associate each client with the relevant processing category or categories and Save.

Once Saved, you also have the option to upload the signed contract with your client.

What if I have many clients to create?

In the Clients tab, select ‘Client import template’, capture all the details as suggested in the template then import the file using ‘Import clients’.

Please note, after you import clients you will need to check that ‘Processing Categories’ has all the relevant details as suggested in the steps 1 to 7 above. Ensure that all relevant Processors exist under Processor Contracts. This is an important step because as a processor you shall not engage another processor without prior specific or general written authorisation of the controller.

In the section on Security Measures which sits under Governance/Records of Processing Details, add details that are relevant to the processing activities.

What if I have already used the existing section under Governance?

We are encouraging all users to migrate to the new section by 30 May, 2019. The Records of Processing Activities report will include all information from the existing section until then.

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.