“Processing” is a possibility provided for in Art. 28 of the General Data Protection Regulation (GDPR) to have personal data processed by a third party. The processor may collect, process, store or use personal data only on the basis of a contract with, and in accordance with the instructions of the controller. In Germany, processing was previously governed by S. 11 of the old German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and it was known as “commissioned data processing” (Auftragsdatenverarbeitung).
The characteristic feature of “processing” is the processing of the personal data by the processor in accordance with the instructions provided by the controller. The processor has no discretion regarding the processing as it is the controller who determines the purposes and methods of the data processing. The processing is carried out by the processor in the controller’s interest and, as far as third parties are concerned, the controller also remains responsible. A differentiation should be made between “processing” and “joint controllership” in accordance with Art. 26 GDPR, where (at least) two controllers jointly determine the purposes and methods of the processing of personal data, for which they are also jointly responsible. In some cases, this differentiation can be difficult as in day-to-day business it is, of course, not feasible for the processor to consult with the controller on every single issue. However, it is still considered processing if the processor is granted a certain degree of discretion by the controller, e.g. under the contract. As a rule of thumb, the more the cooperation between the parties resembles one between a superior and a subordinate party, the easier it is to qualify the relationship as processing, and the more difficult it becomes to argue they are both jointly responsible.
Processing usually requires a contractual agreement (see Art. 28 para. 3 GDPR). In exceptional cases it may also take place on the basis of other legal instruments such as a statutory order. However, this does not currently exist in Germany.
Art. 28 para. 3 GDPR also sets out the minimum requirements for the content of such a contract or legal instrument. Among other things, it must stipulate what types of personal data will be processed as well as the object and the purpose of the processing. The processor has additional obligations, e.g. the processor must keep its own register of processing activities, including the name and contact details of each controller on whose behalf the processor is acting, as well as the categories of processing carried out. It is therefore not sufficient to simply provide the controller with the information the controller may need for the controller’s own list of processing activities! The register of processing activities must also provide details on any transfer of personal data to countries outside the EU/EEA, so-called “third countries”, as well as a description of the technical and organisational measures taken by the processor to protect the data in accordance with Art. 32 GDPR.
The controller, on the other hand, must carefully select the processor, who must offer sufficient guarantees that the processor has implemented appropriate technical and organisational measures to protect the data and to comply with the provisions of the GDPR during the processing.
According to the old German BDSG, the controller as the “responsible body” (verantwortliche Stelle) was the sole contact person for the data subjects and was liable for compliance with the legal requirements on data protection. This principle still applies under the GDPR, but the processor is not completely exempt from liability. In principle, the processor is jointly liable with the controller under Art. 82 GDPR. The processor’s liability is thereby limited to breaches of the obligations imposed on the processor. However, the processor must provide negative evidence, i.e. prove that the processor is in no way responsible for the cause of the damage that occurred. An interesting question, which ultimately may only be answered by a court, is whether processors can, at least in relation to their controllers/clients, limit their liability by means of contractual agreements, e.g. as part of their general terms and conditions.
In cross-border situations it should be noted that these provisions on processing apply even if the processing is merely connected with the activities of an EU branch of just one of the parties. This means that it is sufficient if either the controller or the processor operates a branch in the EU and the processing is linked to that branch.
The terms “processing” or “processor” appear a lot in the GDPR, which reflects their significance in practice. The most important provisions are Art. 4 GDPR (Definitions); regarding the contract Art. 28 GDPR (Processor) and Art. 29 GDPR (Processing under the authority of the controller or processor); Art. 30 GDPR (Records of processing activities) as a separate obligation; with regard to certificates, Art. 40 GDPR (Codes of conduct) and Art. 42 GDPR (Certification); for international cases, Art. 44 GDPR (General principle for transfers); Art. 45 GDPR (Transfers on the basis of an adequacy decision); Art. 46 GDPR (Transfers subject to appropriate safeguards); and, of course, Art. 82 GDPR (Right to compensation and liability) on liability.