In practice, this means the following:
- Respecting the principles governing the processing of personal data;
- Appointing a DPO where required;
- Maintaining a register;
- Implementing data protection by design and by default;
- Appointing representatives if the data processor is not established in the EU; and
- Ensuring that the data is confidential, complete and available.
- Allowing the data subjects to exercise their rights; and
- Drawing up a risk analysis where required.
In addition to the data-processing obligations in common with the data controller, the data processor must:
- draw up a contract or other legal act under EU law, specifying each party’s obligations and incorporating the provisions of Article 28 of the GDPR, as well as the nature, purpose and duration of the data processing, the type of data and the categories of data subjects;
- draw up in writing its clients’ instructions regarding the processing of their data;
- obtain its clients' written authorisation to process the data (or, at the very least, allow them to oppose to this processing); and
- cooperate with its clients, inform them of the lawfulness of their instructions, and provide them with all the information necessary to demonstrate that it is in compliance with its obligations and to enable audits to be carried out.
In parallel, the data processor’s obligations are reduced regarding:
- the deadline for informing clients in the event of a data breach ("not later than 72 hours after having become aware of it" is relaxed to "without undue delay").
What about contracts that are already running?
Updates are required on a case-by-case basis, depending on the effort needed and the risks identified. Obviously, open-ended contracts pertaining to data that is sensitive in terms of its impact on data subjects must be prioritised over contracts that, for example, pose no risk or are nearing the end of their term.
In all cases and in accordance with the principle of accountability, these decisions must be justified.