• Home
  • Blog
  • GDPR ARTICLE 28: PROCESSOR REQUIREMENTS

GDPR ARTICLE 28: PROCESSOR REQUIREMENTS

24 July 2018

Data processor

The minimum information needed for a processor to comply with its legal responsibilities, and for the controller to comply with Article 28, is to specify whether the data includes special categories of personal data, this raises the risk profile of the data set.

For Personal Data that does not fall into one of either:

  • Child data under Article 8
  • Special Classes of Data under Article 9 (which adds biometric data and removes convictions data from the old DPA 1998 or
  • Convictions Data under Article 10

Then the controller will need to refer to the categories and types of data it uses to make sense of its information asset inventory and make sure processors can maintain that view for data they hold on the controller’s behalf.

When looking at the meanings of 'type' of personal data, in the context of Article 28(3) and Recital 81, and 'category', it is helpful to differentiate in the following terms:

 

‘Type’

‘Category’

Format, i.e. paper files, online profiles etc

Personal v Sensitive, i.e. address v health data

Which data or data categories are processed

‘HR leaders’ or ‘Team Leaders’ would be category of recipients

Type of data may be regular or special type

Category of affected persons is customers or employees, etc

 

Category of data is master data, payroll data, health data, etc

 

Article 28 (3) is in the context of a processor's contract with the controller. The type of Personal Information has to be stated, and can be: collected, observed, derived and special category. Article 28(3) (h) states the processor must ensure it: "makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article...", namely a report must be sourced.

The controller contract with a processor should not reveal any more about the structure of the data being provided than is needed for the processor to comply with its legal responsibilities. If the controller wishes to provide further information that the processor might require in order to carry out the technical tasks requested of it, then this should be provided in a separate document with a restricted circulation list.

Finally, it may be necessary to provide the controller with technical requirements and details to complement a Service Level Agreement. However, these do not need to be within a formal contract.

How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070

Contact us