How to engage processors

By | Tuesday March 7th, 2017

Articles 28 and 29 of the GDPR require a “by a contract or other legal act” in order to engage a processor.

Such document must include:

  • the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects;
  • the confidentiality agreement;
  • assurance that persons authorised to process the personal data have committed themselves to confidentiality;
  • the prohibition to use sub-suppliers (i.e. sub-processors) without authorization by the controller;
  • the assurance, in case of use of sub-suppliers, to have a contract (or act) with the same provisions for the personal data processing included in the contract (or act) with the controller;
  • the instructions from the controller for the personal data processing;
  • the prohibition, without controller’s authorization, to transfer the personal data in extra-UE Countries or to allow access to the personal data from extra-UE Countries (b)
  • the assurance to have periodical reviews of the effectiventes of technical and organizational measures;
  • the committment to assist the controller for the fulfilment, in less than 30 days, of the data subjects requests;
  • the committment to communicate to the controller all data breaches or potential data breaches and to assist the controller in case of such events;
  • the committment to delete or return all the personal data to the controller after the end of the activities;
  • the right of audit.

Such requirements require a big effort and look more applicable to organizations than physical persons.

Considering this and a Giancarlo Butti article (, it really looks like that only organizations are intended to be processors.

And this is logical: internal responsibilities cannot be in 3 levels (controller, processors and employees), but may be different, and regulated by internal organization charts and job descriptions and all governed by the top management (acting as controller representative).

Category: Roles and Liabilities Tags:

About Cesare Gallotti

More than 15 years of experience in information security and IT process management. Italian representative in ISO/IEC SC 27 WG1 international meetings for writing ISO/IEC 27000 standard family. Activities in Italy, Europe, Asia and Africa, for companies of various sizes and market sectors. Consultancy, training and audit for: information security, quality, compliance with legal requirements (Personal Data Protection, SOX, etc.), compliance with international standards (ISO 9001, ISO/IEC 27001, ISO/IEC 20000, ISO 22301, etc.), and processes improvement.

2 thoughts on “How to engage processors

  1. silvia stefanelli

    grazie dell’intervento
    sto anch’io lavorando molto su questo tema nel rapporto tra ASL e strutture private accreditata/contrattualizzate che erogano prestazioni in nome e per conto della stessa ASL

    segnalo il documento pubblicato dall’autorità spagnola all’inizio di gennaio 2017 che dà indicazioni sulle modlaità di creazione del contratto

    saluti a tutti

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.