Service Providers

• Author: David Zetoony
• Profession: Is a partner in the Boulder, Colorado office of Bryan Cave Leighton Paisner, LLP, an international law firm
• Pages: 127-144

127

seRVIce

pRoVIDeRs

Q.135 ARe ALL seRVIce pRoVIDeRs

consIDeReD to Be “pRocessoRs”?

No.

As is discussed in Q 1 and Q 2, a company is considered a “controller”

if it “determines the purposes and means” of how personal data will be

processed236 and a company is considered a “processor” if it only “pro-

cesses personal data on behalf of the controller.”237

Even though a service provider often “processes personal data on be-

half of” its client, in some situations the service provider also has a role

in determining the purposes and means of the processing. In such a situ-

ation the service provider is, like its client, considered a “controller” or

a “joint controller” and is arguably responsible for fullling the require-

ments within the GDPR that apply only to controllers.

Q.136 WHAt GUARAntees MUst A seRVIce

pRoVIDeR tHAt Is ActInG As A

pRocessoR pRoVIDe to Its

contRoLLeR cLIent?

The GDPR requires that a controller and a processor clearly set forth the

subject matter and duration of the processing, the nature and purpose of

the processing, the type of personal data involved, the categories of data

subjects involved, and the obligations and the rights of the controller.

Among other things, the processor must be bound (by contract or some

other legal act) to the following substantive provisions:

236. GDPR, Article 4(7).

237. GDPR, Article 4(8).

128 T HE EU GEnEral DaTa PrOTECTIOn rEGUlaTIOn (GD Pr)

1. Documented instructions. The service provider will only pro-

cess personal data consistent with the controllers documented

instructions.238

2. Condentiality. The service provider must ensure that persons

authorized to process personal data have committed themselves to

condentiality.239

3. Processor security. The service provider must implement appropri-

ate technical and organizational measures to secure the personal

data that it will be processing.240

4. Subcontracting authorization. The service provider must obtain

written authorization before subcontracting and must inform its

client before it makes any changes to its subcontractors.241

5. Subcontracting owdown obligations. The service provider will

ow down these obligations to any subprocessors.242

6. Subcontracting liability. The service provider must remain fully

liable to the controller for the performance of a subprocessor’s

obligations.243

7. Responding to data subjects. The service provider will assist its cli-

ent to respond to any requests by a data subject.244

8. Assisting controller in responding to data breach. The service pro-

vider will cooperate with its client in the event of a personal data

breach. 245

9. Assisting controller in creating DPIA. The service provider will

cooperate with its client in the event the client initiates a data pro-

tection impact assessment.246

10. Delete or return data. The service provider will delete or return

data at the end of the engagement.247

238. GDPR, Article 28(3)(a).

239. GDPR, Article 28(3)(b).

240. GDPR, Article 28(1), (3)(c); GDPR, Article 32(1).

241. GDPR, Article 28(2), 28(3)(d).

242. GDPR, Article 28(3)(d); GDP Article 28(4).

243. GDPR, Article 28(3)(d).

244. GDPR, Article 28(3)(e), GDPR, Articles 12–23.

245. GDPR, Article 28(3)(f); GDPR, Articles 33–34.

246. GDPR, Article 28(3)(f); GDPR, Articles 35–36.

247. GDPR, Article 28(3)(g).