Articles 28 and 29 of the GDPR require a “by a contract or other legal act” in order to engage a processor.
Such document must include:
- the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects;
- the confidentiality agreement;
- assurance that persons authorised to process the personal data have committed themselves to confidentiality;
- the prohibition to use sub-suppliers (i.e. sub-processors) without authorization by the controller;
- the assurance, in case of use of sub-suppliers, to have a contract (or act) with the same provisions for the personal data processing included in the contract (or act) with the controller;
- the instructions from the controller for the personal data processing;
- the prohibition, without controller’s authorization, to transfer the personal data in extra-UE Countries or to allow access to the personal data from extra-UE Countries (b)
- the assurance to have periodical reviews of the effectiventes of technical and organizational measures;
- the committment to assist the controller for the fulfilment, in less than 30 days, of the data subjects requests;
- the committment to communicate to the controller all data breaches or potential data breaches and to assist the controller in case of such events;
- the committment to delete or return all the personal data to the controller after the end of the activities;
- the right of audit.
Such requirements require a big effort and look more applicable to organizations than physical persons.
Considering this and a Giancarlo Butti article (https://blog.europrivacy.org/it/2016/07/19/the-internal-data-processor-and-the-gdpr/), it really looks like that only organizations are intended to be processors.
And this is logical: internal responsibilities cannot be in 3 levels (controller, processors and employees), but may be different, and regulated by internal organization charts and job descriptions and all governed by the top management (acting as controller representative).