So, who exactly is a processor?
A processor is any external service provider who:
- performs a task on behalf of your company,
- processes personal data in the course of that task, and
- follows your instructions (i.e., they don’t determine the purpose of processing themselves).
Example:
Is your department working with a call center to contact clients? Or using a cloud-based app to manage customer data? That likely means you’re working with a processor – and that relationship must be covered by a data processing agreement.
Who might be a processor in your environment?
Here are some common types of contractors that often act as processors. Think about which of these your department collaborates with – and whether those relationships are properly documented:
- External document storage providers
- Security companies
- Payroll service providers / accounting firms
- Cloud or hosting providers
- Call centers
- Shared service centers
- Recruitment agencies
- Translation agencies
- Software vendors and IT providers
- Property managers (acting on behalf of the building owner)
- Consulting firms
- Debt collection agencies
- Marketing agencies
- Postal service providers / warehouse logistics firms
- Newsletter/email campaign platforms
- Electronic signature platforms
- Companies that destroy documents or data storage media
- Web analytics or user tracking tools
- IT body leasing / hardware service providers
- Companies within the same capital group (in some cases)
What should you do?
Here’s a quick checklist to keep your department GDPR-compliant:
- Review all vendors and service providers your department works with.
- Check if any of them process personal data on your department’s behalf.
- Make sure a data processing agreement is in place with each of them.
If not – inform the person responsible for GDPR in your organization. - Check whether these companies (so-called processors) were properly vetted before starting the cooperation – and whether they are subject to regular reviews, e.g. once a year, to ensure compliance with data protection requirements.
Even a small oversight can have serious consequences. The data protection authority won’t ask if “someone from IT was handling it” – they’ll ask if there’s a signed agreement in place.
When in doubt – just ask.
It’s always better to double-check than to explain a data breach.