We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

The EU General Data Protection Regulation: A Brave New World for Processors

04 March 2016
Significant changes are afoot for processors. With the text of the European Union General Data Protection Regulation (GDPR) now published, processors will need to begin to acclimatise to the new regime under the GDPR. Although the GDPR still places the lion’s share of compliance responsibilities on controllers, it also extends direct application of the law to processors and renders them subject to fines, in an effort to allocate responsibility between the parties.
The EU General Data Protection Regulation: A Brave New World for Processors

Key changes and probable implications for processors include the following:

  1. EU data protection law will apply directly to processors. Unlike the current Data Protection Directive, a number of requirements under the GDPR will apply directly to processors both when a processor is in the EU as well as to certain processors outside the EU.

  1. Relationships with controllers will be more strictly regulated. The GDPR requires the inclusion of specific provisions in the contract between a processor and a controller, e.g. a processor must obtain consent from the controller before appointing a subprocessor.

  1. Processors must demonstrate accountability.  Processors must maintain a record of all their data processing activities (which should be disclosed to a Data Protection Authority upon request) and processors involved in "large scale" data processing must appoint a data protection officer.

  1. Both parties are directly responsible for data security. While the requirement under the current Directive to implement security measures is expressed as a contractual requirement on processors as part of their relationship with controllers, the GDPR contains a positive obligation on processors to implement security measures and to consider further security aspects such as pseudonymisation and encryption.

  1. Rules on data transfers and disclosures. Processors have a role to play in ensuring compliance with data transfer rules and may disclose personal data when required under EU or Member State law.

  1. Processors will be subject to greater regulatory and judicial exposure. Processors must cooperate with Data Protection Authorities who will have the power, amongst other things, to investigate and fine processors potentially up to 4 percent of total worldwide annual turnover.

To read the article in full including the implications of these changes click here.

This article was first published in the February 2016 edition of World Data Protection Report and is reproduced with permission from World Data Protection Report, 16 WDPR 02, 2/25/16.

Future-Proofing Privacy: New and Stronger Rights

The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...

06 June 2016
Loading data