In this video, Mandy Huth reviews Article 28 of the GDPR. Learn about the primary responsibilities of a data processor, such as security measures, subprocessors, model clauses, and the scope of the data.
- [Instructor] GDPR has 99 articles. Article 28 is important to understand because it outlines the specific tasks a data processor is responsible for in that role. There are four primary responsibilities outlined in article 28. The first is to implement security measures. How this is implemented depends on the nature of the data and how it is being handled. These can be technical measures or they can be process based. Next, is the use of subprocessors.
This happens when a processor outsources some part or all of the data processing to a third party. A subprocessor is bound by the same data protection obligations set out in the processors contract with the controller. The explicit consent of the controller is required in order to be lawful. Further, an additional contract is put in place for subprocessors with the appropriate clauses that apply. The third tenant is that the processor must ensure there is a contract in place with the controller.
Some components to include in the contract should be whose data is being processed, categories of data subjects, which data is included, what is it, and how is it being used? The contract should additionally list out the responsibilities of both the controller and the processor. A model clause is a contract between two organizations that outline the roles and responsibilities of each. In the model clause contracts there are often addendums that outline these responsibilities and they are most often used for the measures.
One can locate an example of a model clause online by searching for templates. Finally, the processor must ensure they only process in scope data. They should have records of their processing activity and logs to review. These logs can be used as evidence in case of an audit. It's important to note that the processor can be considered accountable, just like the data controller if they violate any of these responsibilities.
These four tenants are the core responsibilities of a data processor.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Compliance deadlines and penalties
- Data controllers and data processors under GDPR
- Exploring the role of the data protection office
- Technical measures outlined in the GDPR
- Reviewing the right to be forgotten and the situations that allow erasure
- Rules for children under the age of 16
- Breach notification