Broadly speaking a data processor has the same obligations as a data controller, however there are some nuances which should be noted.
Processors must also:
- Perform only the processing defined by the data controller (or legal requirements)
- The processor needs to obtain the written consent of the data controller before it can appoint a sub-processor
- The same rules and constraints about personal data in the controller/processor contract must be duplicated in any contracts with sub- processors
There are circumstances where the data processor must update the data controller of events:
- If the processor anticipates that the controller’s instructions and operations will conflict with the GDPR’s requirements or laws of the EU Member state under question, the processor is obliged to inform the data controller immediately, without any undue delay
- Processors must notify any data breach to the Data Controller immediately, without delay