Vicki Bowles, a Partner and barrister in the Commercial team at VWV, explores what a data processor is, and why it's important to get this area of data protection law right.
A data processor is any third party that you engage to deal with personal data on your behalf, where you retain overall control over the personal data they are processing for you.
These rules apply regardless of what the third party is doing - so if they are merely storing your data, and not looking at it, amending it or doing anything with it, they are still 'processing' personal data by storing it, and would still be a data processor.
As an example, your operating system will be a data processor. If you use Microsoft or Google to send emails, then they will be 'processing' any personal data within those emails. They have no right to use that data for their own purposes - they can only use it in the course of providing you with the email services that you have signed up to, so they are your data processor.
Whether a third party is a data controller or a data processor comes down to the level of control that they can exert over the data that you give them, and is not always an obvious distinction. One question to ask yourself, is whether the third party is making any decisions about what personal data they process, or how it is used. The more they can do without reference to you - the less likely they are to be a processor.
If you engage any data processor, the UK GDPR requires that there be a written and enforceable contract in place with that data processor, which contains specific terms, set out in the legislation. This will apply wherever the processor is based, and the UK GDPR applies because you, as the data controller, are based in the UK.
It's important to remember that just because you are dealing with a large company, who appear to have everything in place, that won't guarantee that the data processor terms are complete. It is therefore always worth checking that any agreements you are signing contain all of the relevant clauses, and if they don't, asking for the clauses to be completed.
The first risk is that you end up being liable for any losses caused by the data processor. If the data processor has a data breach that ends up causing damage to individuals, the individual may issue proceedings against you as a data controller. You would usually then use the contract with the processor as a means of recovering those damages, but if the contract is not compliant, or no contract exists, then this could prevent that recovery.
The second key risk materialises at the point when you're looking to merge or expand your business. In a due diligence process, you will likely be asked to identify your data processors, and confirm that you have compliant agreements in place. If compliant agreements are not in place, and the risks are significant, this could lead to a renegotiation of the deal.
Identifying data processors and attempting to amend contractual provisions after the event can also be costly, so it's worth getting the agreements right at the outset of the relationship if you can.
An often overlooked requirement in relation to data processors is the need to carry out (and document) due diligence on any data processor that you intend to use. The level of due diligence required will depend upon the risks involved, the cost of the contract, the types of data you are intending to transfer etc, but it is a legal requirement to carry out some form of check before you sign.
Another reason to investigate your data processors, is to make sure that you can meet your obligations in relation to EEA transfers. If your processor is storing your data outside of the EEA (which is more likely if they are based outside of the EEA), then you have an obligation to ensure that you tell individuals about this in your privacy notices, and ensure that there are relevant safeguards in place.