What Is A Data Processor?
- 1 What is an example of a data processor?
- 2 What is the difference between a data controller and a data processor under GDPR?
- 3 What is the role of the processor?
- 4 How can I be a good data processor?
- 5 Is AWS a data processor or a data controller?
- 5.1 Can a data processor share data?
- 5.2 What is the GDPR agreement between controller and processor?
- 5.3 What are the 6 lawful bases of data processing under the GDPR?
- 5.4 What is a data processor within the context of the EU GDPR quizlet?
- 6 Who does the GDPR apply to data processors?
What is a data processor under the GDPR?
Art.4 GDPR – Definitions – General Data Protection Regulation (GDPR) For the purposes of this Regulation:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future; ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis; ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; 1 ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.2 However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; ‘main establishment’ means:
as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to, represents the controller or processor with regard to their respective obligations under this Regulation; ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity; ‘group of undertakings’ means a controlling undertaking and its controlled undertakings; ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity; ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to ; ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
the controller or processor is established on the territory of the Member State of that supervisory authority; data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or a complaint has been lodged with that supervisory authority;
‘cross-border processing’ means either:
processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union; ‘information society service’ means a service as defined in point (b) of Article 1(1) of of the European Parliament and of the Council (¹); ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
¹ Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (). : Art.4 GDPR – Definitions – General Data Protection Regulation (GDPR)
What is an example of a data processor?
What is a data processor? – Data processors act on behalf of, and only on the instructions of, the, A data processor is the company that processes data on behalf of a data controller, The data processor is not allowed to do anything with the personal data other than what is explicitly stated by the data controller,
What is the best definition of a data processor?
A data processor is a person, company, or other body which processes personal data on the data controller’s behalf. For the official GDPR definition of ‘data processor’, please see Article 4.8 of the GDPR.
What is the difference between a data controller and data processor?
If you are just starting out on your GDPR journey, understanding the key differences between a data processor and a data controller is an important concept to grasp. In large part, the data controller is the one that collects or possesses the data, and the processor is a third-party engaged by the controller to do data processing.
- Three definitions from Article 4 should help speed your understanding of processors and controllers along: A data controller determines the purposes and means of the processing of personal data.
- A processor engages in personal data processing on behalf of the controller.
- Processing involves any operation (or set) performed on personal data (such as, but not limited to, collection, structuring, storage, use or disclosure).
The organizations play different roles with respect to the data. The controller gets to call the shots. The processor follows the instructions of the controller and performs the operations requested. If the organizations are jointly determining processing, then they are considered joint controllers under the law.
- Example of a Data Controller and Data Processor Here is an example to help reinforce the differences conceptually: A website collects personal data from a customer located in the European Union during the customer’s purchase of a product.
- The personal data includes identifying information such as the customer’s name, address and phone number.
After all, the product has to be shipped to the purchaser in Europe. The operator of the website uses a third-party warehouse to store and ship the products on its behalf. In order to make sure the packages get to the right place, the website operator sends the warehouse the customer’s name and address.
The warehouse then ships a package, including the purchased product, to the consumer. The website operator is the controller. They collect the data and determine how it is processed. The warehouse is the processor. They receive the data from the controller and use it to mail the package. There are some overlapping requirements in GDPR that apply to both data processors and data controllers.
However, there are a number of areas where the responsibilities are different. What are the key differences between a GDPR data processor vs. data controller? – The data controller gives instructions for processing to the data processor. The processor cannot process personal data except upon the instructions of the controller.
If a processor unlawfully processes personal data without instructions, they may be considered a controller instead. – The controller is responsible for implementing measures to ensure that processing occurs pursuant to GDPR. The processor is tasked by the text of the privacy law with helping the controller with certain tasks, including information necessary to demonstrate compliance.
The processor must also immediately tell the controller if an instruction violates GDPR. – The controller is responsible for carrying out Article 35 Data Protection Impact Assessments (DPIAs), if necessary. The processor is charged with assisting the controller in carrying out the obligation by Article 28.
The controller can engage any processor that meets the vendor management requirements imposed by GDPR and agrees to an appropriate written contract for processing. The data processor may only engage processors that are approved or based upon the instructions of the controller. Improve Data Privacy for GDPR or CCPA with Clarip The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team. If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software,
Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software, Need to improve your GDPR compliance solution ? Clarip offers modular GDPR software that can fill in gaps in your privacy program.
Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
What is the difference between a data controller and a data processor under GDPR?
According to Article 4 of the EU GDPR, a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller’s behalf.
What is the difference between data owner and processor in GDPR?
Am I the ‘controller’ or the ‘processor’? – Control, rather than possession, of personal data is the determining factor here. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed.
What is the role of data processor?
What are the Responsibilities of a Data Processor? – A data processor is responsible for carrying out the actual processing of the data under the specific instructions of the data controller, which may include:
Design, create, and implement IT processes and systems that would enable the data controller to gather personal data. Use tools and strategies to gather personal data. Implement security measures that would safeguard personal data. Store personal data gathered by the data controller. Transfer data from the data controller to another organization and vice versa.
Is Microsoft a data processor?
Breach Notification – The GDPR mandates notification requirements for data controllers and processors for a breach of personal data. As a data processor, Microsoft ensures that customers are able to meet the GDPR’s breach notification requirements. Data controllers are responsible for assessing risks to data privacy and determining whether a breach requires notification of a customer’s DPA.
What is the role of the processor?
The Power of the Processor – The processor, also known as the CPU, provides the instructions and processing power the computer needs to do its work. The more powerful and updated your processor, the faster your computer can complete its tasks. By getting a more powerful processor, you can help your computer think and work faster.
Do data processors have to be GDPR compliant?
What Is The Difference A Between Controller And Processor? – There is a clear difference between a ‘data controller’ and a ‘data processor’ according to the GDPR. The regulation recognizes that not all organizations involved in the processing of personal data have an equal level of responsibility.
- The definitions of controllers and processors according to the GDPR are as follows: Data Controller – Is a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
- Data Processor – Is a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.
If you are classed as a data controller or a data processor, you are responsible for ensuring that you comply with the GDPR and demonstrate compliance with the regulation’s data protection principles. Data processors do not have the same level of GDPR compliance responsibilities,
What is processor in simple words?
A processor (CPU) is the logic circuitry that responds to and processes the basic instructions that drive a computer. The CPU is seen as the main and most crucial integrated circuitry ( IC ) chip in a computer, as it is responsible for interpreting most of computers commands.
- CPUs will perform most basic arithmetic, logic and I/O operations, as well as allocate commands for other chips and components running in a computer.
- The term processor is used interchangeably with the term central processing unit ( CPU ), although strictly speaking, the CPU is not the only processor in a computer.
The GPU (graphics processing unit) is the most notable example, but the hard drive and other devices within a computer also perform some processing independently. Nevertheless, the term processor is generally understood to mean the CPU. Processors can be found in PCs, smartphones, tablets and other computers.
How can I be a good data processor?
A data processor organizes, transfers, and processes personal data for a company or an organization. A data processor’s duties include verifying the information in all documents, updating documents format, and processing incoming documents. They also generate and maintain backup files of organization transactions, maintain files and records, validate the accuracy of company insurance applications through internet-based research, and create detailed reports on company data use and management.
Plus, data processors update document format, complete all data entries to fulfill regulatory requirements. A good data processor must possess excellent typing skills and knowledge of Microsoft office software tools. Attention to detail, accuracy, time management, and the ability to work with a team is also needed by a data processor.
The minimum educational requirement is a high school diploma, but an associate or bachelor’s degree in computer science, data processing, or related fields would give you an edge over others. The median annual salary of a data processor is $32,182 per year.
Salary $33,076 Jobs Number 92,954 Most Common Skill Computer Database Most Common Degree Bachelors degree Best State Alaska
Is Microsoft a data processor or controller?
General Data Protection Regulation (GDPR) Introduction The European Union’s General Data Protection Regulation (GDPR) sets an important bar globally for privacy rights, information security, and compliance. At Microsoft, we believe privacy is a fundamental right and that the GDPR is an important step forward in protecting and enabling the privacy rights of individuals.
- Microsoft is committed to its own compliance with the GDPR, as well as to provide an array of products, features, documentation, and resources to support our customers in meeting their compliance obligations under the GDPR.
- Following is a description of Microsoft’s contractual commitments to its customers concerning personal data collected from enterprise software.
(For software licensed from Microsoft Commercial Licensing programs, refer directly to the Microsoft Products and Services Data Protection Addendum (DPA) at ) Does Microsoft make commitments to its customers with regard to the GDPR? Yes. The GDPR requires that controllers (such as organizations and developers using Microsoft’s enterprise online services) only use processors (such as Microsoft) that process personal data on the controller’s behalf and provide sufficient guarantees to meet key requirements of the GDPR.
Microsoft provides these commitments to all customers of Microsoft Commerical Licensing programs in the DPA. Customers of other generally available enterprise software licensed by Microsoft or our affiliates also enjoy the benefits of Microsoft’s GDPR commitments, as described in this notice, to the extent the software processes personal data.
Where can I find Microsoft’s contractual commitments with regard to the GDPR? You can find Microsoft’s contractual commitments with regard to the GDPR (GDPR Terms) in the attachment to the DPA labeled “European Union General Data Protection Regulation Terms.” Those terms commit Microsoft to the requirements of processors in GDPR Article 28 and other relevant articles of the GDPR.
Microsoft extends the GDPR Terms to all customers of generally available enterprise software products licensed by us or our affiliates under Microsoft software license terms, effective as of May 25, 2018, regardless of the applicable version of the enterprise software, to the extent Microsoft is a processor or subprocessor of personal data in connection with such software, and so long as Microsoft continues to offer or support the version.
Support details can be found in the Microsoft Lifecyle Policy at, For clarity, different or lesser commitments may apply to beta or preview software, software that has been materially modified, or any software licensed by Microsoft or our affiliates that is not made generally available to the public or otherwise not licensed under Microsoft software license terms.
Some products may collect and send to Microsoft telemetry or other data by default; product documentation provides information and instructions for how to turn off or configure such telemetry collection. What commitments are in the GDPR Terms? Microsoft’s GDPR Terms reflect the commitments required of processors in Article 28 of the GDPR.
Article 28 requires that processors commit to:
only use subprocessors with the consent of the controller and remain liable for subprocessors; process personal data only on instructions from the controller, including with regard to transfers; ensure that persons who process personal data are committed to confidentiality; implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk; assist the controller in its obligations to respond to data subjects’ requests to exercise their GDPR rights; meet the GDPR’s breach notification and assistance requirements; assist the controller with data protection impact assessments and consultation with supervisory authorities; delete or return personal data at the end of provision of services; and support the controller with evidence of compliance with the GDPR.
: General Data Protection Regulation (GDPR)
Is AWS a data processor or a data controller?
GDPR – Amazon Web Services (AWS) The European Union’s General Data Protection Regulation (GDPR) protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data. The GDPR includes robust requirements that raise and harmonize standards for data protection, security, and compliance.
Please review our below for more information. AWS customers can use all AWS services to process personal data (as defined in the GDPR) that is uploaded to the AWS services under their AWS accounts (customer data) in, In addition to our own compliance, AWS is committed to offering services and resources to our customers to help them comply with the GDPR requirements that may apply to their activities.
New features are launched regularly, and AWS has 500+ features and services focused on security and compliance. For more information on what AWS is doing read our blog, Customers have control of their customer data. With AWS, customers can:
Determine where their customer data will be stored, including the type of storage and geographic region of that storage. Choose the secured state of their customer data. We offer customers strong encryption for customer data in transit or at rest, and we provide customers with the option to manage their own encryption keys. Manage access to their customer data and AWS services and resources through users, groups, permissions and credentials that customers control.
AWS customers can continue to use AWS services to transfer customer data from the EEA to non-EEA countries that have not received an adequacy decision from the European Commission (including the United States) in compliance with the GDPR. At AWS, our highest priority is securing customer data, and we implement rigorous technical and organizational measures to protect its confidentiality, integrity, and availability, regardless of which the customer has selected.
We know that transparency matters to our customers. We list the AWS services that involve a data transfer of customer data on our webpage. As the regulatory and legislative landscape evolves, we will always work to ensure that our customers can continue to enjoy the benefits of AWS services wherever they operate.
Please see our and our blog posts on the and the for additional information.
The General Data Protection Regulation (GDPR) is a European privacy law that became enforceable on May 25, 2018. The GDPR replaced the EU Data Protection Directive, also known as, and intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state. The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU individuals in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person, including names, email addresses and phone numbers. AWS acts as both a data processor and a data controller under the GDPR.
AWS as a data processor – When customers use AWS services to process personal data in the content they upload to the AWS services, AWS acts as a data processor. Customers can use the controls available in AWS services, including security configuration controls, for the handling of personal data. Under these circumstances, the customer may act as a data controller or data processor itself, and AWS acts as a data processor or sub-processor. AWS offers a GDPR-compliant (AWS DPA) that incorporates AWS’s commitments as data processor. The AWS DPA, which includes Standard Contractual Clauses, is part of the and is for all customers who require this to comply with the GDPR. AWS as a data controller – When AWS collects personal data and determines the purposes and means of processing that personal data – for example, when AWS stores account information (e.g. email addresses provided during the account registration) for account registration, administration, services access, or contact information for the AWS account to provide assistance through customer support activities – it acts as a data controller. Please see the for details on how AWS processes personal data as a controller.
The SCCs are a pre-approved data transfer mechanism under GDPR, applicable in all EU Member States, which enable the lawful transfer of personal data to countries outside of the European Economic Area that have not received an adequacy decision from the European Commission (third countries). The include the SCCs adopted by the European Commission (EC) in June 2021, and the AWS DPA confirms that the SCCs will apply automatically whenever an AWS customer uses AWS services to transfer customer data to countries outside of the European Economic Area that have not received an adequacy decision from the EC (third countries). As part of the AWS Service Terms, the new SCCs will apply automatically whenever a customer uses AWS services to transfer customer data to third countries. The few customers that have signed an AWS DPA can continue to rely on that AWS DPA because the new SCCs in the AWS Service Terms replace the previous version of the SCCs. Customers can therefore be comfortable that any customer data they transfer to third countries using AWS services has the same high level of protection that customer data receives in the EEA. For more information, please see the blog post on the implementation of the,
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a ruling regarding the transfer of personal data of EU individuals outside the EEA (Schrems II). In Schrems II, the CJEU ruled that the EU-US Privacy Shield was no longer a valid mechanism to transfer personal data from the EEA to the US. However, in the same ruling, the CJEU confirmed that companies can (subject to implementing supplementary measures, if required) continue to use Standard Contractual Clauses as a valid mechanism for transferring personal data outside of the EEA. The European Data Protection Board (EDPB), a European body composed of representatives of the national data protection authorities, has since provided a non-exhaustive list of supplementary measures in its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (EDPB Recommendations). The EDPB Recommendations provide data exporters with examples of supplementary measures that could be put in place. See FAQ ” Can I continue to use AWS services following the Schrems II judgement? ” below for details on AWS’s data transfer resources. Yes, AWS customers can continue to use AWS services to transfer customer data from Europe to countries outside the EEA who have not received an adequacy decision from the European Commission. The Schrems II ruling validated the use of Standard Contractual Clauses (SCCs) as a mechanism for transferring customer data outside the EEA and AWS customers can continue to rely on the SCCs for any transfer of customer data outside the EEA in compliance with GDPR.
Processing location. Customers select the AWS Region in which their customer data will be stored. An overview of available AWS Regions can be found under, AWS will not process customer data outside the customer’s selected AWS Region unless it is necessary for the purpose of providing the AWS services initiated by the customer, or as necessary to comply with the law or a binding order of a governmental body. Please see our webpage to find out more on data transfers as part of AWS services. Sub-processors. AWS may use sub-processors, i.e. AWS affiliates or third parties to assist with the processing of customer data, to fulfil our obligations to customers under the AWS DPA, or to provide services on our behalf. See FAQ ” Does AWS use sub-processors to process customer data? ” below for details. Transfer tools. Since the Schrems II ruling has validated the use of SCCs as a mechanism for transferring data to countries outside the EEA who have not received an adequacy decision from the European Commission, our customers can continue to rely on the SCCs included in the if they choose to transfer their data outside the EEA in compliance with the GDPR. Supplementary measures.
Customer control. Customers have ownership and control over their customer data at all times through simple, yet powerful, tools that enable them to determine where their customer data will be stored, secure their customer data in transit and at rest, and manage user access to their AWS resources and modify, delete and retrieve customer data. Technical and organizational measures. AWS implements responsible and sophisticated technical and physical controls and processes designed to prevent unauthorized access to or disclosure of customer data (visit the for more information). We also provide a number of advanced encryption and key management services (including services which allow customers to manager their own keys) that customers can use to protect their customer data both in transit and at rest – encrypted customer data is rendered inaccessible without the applicable decryption keys. Regardless of whether customer data is encrypted or unencrypted, we will always work vigilantly to protect customer data from any unauthorized access. Law enforcement requests. AWS has internal processes to deal with requests that we receive from law enforcement. When we receive a request for customer data from law enforcement, we carefully examine it to authenticate accuracy and to verify that it is appropriate and complies with all applicable laws. Unless legally prohibited from doing so, AWS notifies customers before disclosing customer data so that customers can take further steps to seek protection from disclosure. In the (Supplementary Addendum), AWS makes strengthened contractual commitments in relation to dealing with government requests for customer data, including by committing to (i) use every reasonable effort to redirect any governmental body requesting customer data to the relevant customer, (ii) promptly notify the request to the customer if legally permitted to do so (including by using all reasonable and lawful efforts to obtain a waiver of prohibition if necessary), (iii) challenge any overbroad or inappropriate request, including where the request conflicts with EU law, and (iv) if, after exhausting the steps described above, AWS still remains compelled to disclose customer data in response to a governmental request, to disclose only the minimum amount of customer data necessary to satisfy the request. Contractual measures. AWS makes several contractual commitments to the measures described above that are reflected in the AWS DPA and the Supplementary Addendum. The AWS DPA and the Supplementary Addendum include contractual commitments from AWS concerning (1) customer’s selection of AWS Regions in which customer data is stored and processed, (2) both the technical and organizational measures that AWS has implemented to protect the AWS infrastructure and the technical organizational measures that customers may choose to apply to protect their customer data, (3) AWS’s measures to protect customer data and inform the customer in case of a data disclosure request from a governmental body, and (4) AWS’s ability to fulfil its obligations set forth in the AWS DPA in compliance with legislation applicable in a third country in which customer data is processed. The Supplementary Addendum also addresses (5) the statutory rights of individuals to claim for compensation in case of a violation of their rights granted by the GDPR.
Yes, AWS may use three types of sub-processors: (1) AWS entities that provide the infrastructure on which the AWS services run; (2) AWS entities that support specific AWS services which may require these entities to process customer data; and (3) third parties that AWS has contracted with to provide processing activities for specific AWS services.
The provides more information about the sub-processors that AWS engages in accordance with the AWS DPA, to provide processing activities on customer data on behalf of customers. Sub-processors relevant to an individual customer will depend on the AWS Region the customer selects and the particular AWS services that the customer uses.
The AWS whitepaper,, provides information about the services and resources that AWS offers customers to help them conduct data transfer assessments in light of the Schrems II ruling, and subsequent from the European Data Protection Board. The whitepaper also describes the key supplementary measures taken and made available by AWS to protect customer data.
- AWS offers helpful information to customers, including several compliance reports from third-party auditors, who have verified our compliance with a variety of security standards and regulations, to prove the high levels of compliance AWS maintains for its infrastructure.
- These reports show our customers, that we are protecting their customer data they choose to process on AWS.
Examples of this include AWS’ ISO 27001, 27017, and 27018 compliance. contains security controls that focuses on protection of customer data. AWS is also compliant with the for data protection. More information on the CISPE Code of Conduct can be found in the FAQ below, ” Does AWS comply with a GDPR approved Code of Conduct specific to cloud infrastructure services? ” As of June 2023, AWS announced compliant with the CISPE Data Protection Code of Conduct.
Cloud Infrastructure Services Providers in Europe) is a coalition of cloud computing leaders serving millions of European customers. The (CISPE Code), is the first pan-European data protection code of conduct focused on cloud infrastructure services providers. The CISPE Code was approved by the, acting on behalf of the 27 data protection authorities across Europe, and formally adopted by the French Data Protection Authority (CNIL), acting as the lead supervisory authority.
In 2017 AWS announced its compliance with an earlier version of the CISPE Code. The CISPE Code helps customers ensure that their cloud infrastructure service provider offers appropriate operational assurances to demonstrate compliance with the GDPR and protect customer data.
Cloud infrastructure focused: Clarifying the role of the cloud infrastructure service provider under GDPR with regard to the processing of customer data – that is, any personal data processed on behalf of the customer using the cloud infrastructure service. Data in Europe: Requires cloud infrastructure service providers to give customers the choice to use services to store and process customer data exclusively in the European Economic Area (EEA). Data privacy: The CISPE Code assures organizations that their cloud infrastructure service providers meets the requirements applicable to personal data processed on their behalf (customer data) under the GDPR.
The GDPR does not change the, which continues to be relevant for customers. The shared responsibility model is a useful approach to illustrate the different responsibilities of AWS (as a data processor or sub-processor) and customers (as either data controllers or data processors) under the GDPR. Under the shared responsibility model, AWS is responsible for securing the underlying infrastructure that supports AWS services (“Security “OF” the cloud”), and customers, acting either as data controllers or data processors, are responsible for any personal data they upload to AWS services (“Security “IN” the cloud”). AWS responsibility “Security of the cloud” – AWS is responsible for protecting the global infrastructure that runs all of the AWS services. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls to customers, including security configuration controls, for the handling of customer content. AWS provides several compliance reports from third-party auditors who have verified our compliance with a variety of computer security standards and regulations (for more information, visit the ). These reports show our customers, that we are protecting their customer data. Examples include AWS’ ISO 27001, 27017, and 27018 compliance. contains security controls that focuses on protection of customer data. Customer responsibility “Security in the Cloud” – AWS customers are responsible for architecting and securing the application and solutions they elect to deploy on AWS services. AWS customers are also responsible for configuring the AWS services in a way that protects the confidentiality, integrity and security needs of their customer data. The specific responsibilities customers have to secure their customer data vary depending on the AWS services customers elect to use and how those services are integrated into customers’ IT environments. AWS customers have visibility and control over their customer data and can implement flexible security controls based on the sensitivity of the specific type of customer data. Customers can do this by utilizing its own security measures and tools, or by using the security measures and tools made available by AWS or other suppliers. In this way, customers can put in place additional layers of security for more sensitive customer data. AWS makes available products, tools and services that customers can use to architect and secure their applications and solutions and that can be deployed to help handle the requirements of GDPR, including:
enables organizations to manage access to AWS services and resources securely. Using IAM, customers can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge. allows organizations to log, continuously monitor, and retain information about account activity related to actions in AWS, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default). is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads. It monitors for activity that can indicate a possible account compromise, such as unusual API calls or potentially unauthorized deployments. GuardDuty also detects potentially compromised instances or reconnaissance by attackers. is a machine learning tool to assist discovery and classification of personal data stored in Amazon S3.
Please see our whitepaper,, for further details on how to use AWS resources in compliance with the GDPR. Yes, you can search for “GDPR” in the to help find ISVs, MSPs, and SI partners that have products and services to help with GDPR compliance. Customers can also search for “GDPR” solutions on,
Yes, the AWS Security Assurance Services team has a number of activities to help customers on their journey to GDPR compliance. This team of industry certified compliance professionals helps customers achieve, maintain, and automate compliance in the cloud by tying together applicable compliance standards to AWS service specific features and functionality.
More details on how AWS Professional Services Consultants are helping customers can be found, Customers can use AWS Support to receive technical guidance to help them on their road to GDPR compliance. As part of this activity we have teams of Cloud Support Engineers and Technical Account Managers (TAMs) that are trained to help identify and mitigate compliance risks.
- The level of support AWS provides depends on the AWS Support Plan that customers choose.
- Customers looking to understand how AWS Premium Support can help them can find more information in the AWS Support Center, available through the, by using the contact details specified in the Enterprise Support Agreement entered into with AWS, or by visiting the,
Customers with Enterprise Support should reach out to their TAM with GDPR related questions. Customers may find the following two programs useful as they pursue GDPR compliance:
Cloud Operations Review – Available to AWS Enterprise Support customers, this program is designed to help identify gaps in their approach to operating in the cloud. Originating from a set of operational best practices distilled from AWS’ experience with a large set of representative customers, this program provides a review of cloud operations and the associated management practices, which can help organizations in their journey to GDPR compliance. The program uses a four-pillared approach with a focus on preparing, monitoring, operating, and optimizing cloud-based systems in pursuit of operational excellence. Well-Architected Review – This program allows organizations to measure their architecture against AWS best practices and to construct architectures that are secure, reliable, high performing, and cost-effective. Well-Architected Reviews also allows customers to understand where they have risks in their architecture and address them before applications are put into production.
AWS has a security incident monitoring and data breach notification process in place and will notify customers of breaches of AWS’s security without undue delay and in accordance with the AWS DPA. AWS also gives customers a number of tools to understand who has access to their resources, when, and from where.
- One of these tools is which enables governance, compliance, operational auditing, and risk auditing of an AWS account.
- With AWS CloudTrail, customers can log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure.
- This helps organizations understand what is happening with their AWS infrastructure and can take action on any unusual activity, immediately.
For more information on other security tools AWS gives customers to help meet their obligations as data controllers under the GDPR, visit the, AWS gives customers and APN Partners a number of tools to secure their customer data and help protect against cyber-attacks.
- One such tool is,
- This is a managed Distributed Denial of Service (DDoS) protection service to safeguard websites and applications running on AWS.
- AWS Shield Standard is available at no additional charge and provides always-on detection and automatic inline mitigations that can minimize application downtime and latency.
For higher levels of protection against attacks targeting web applications running on AWS and using ELB, Amazon CloudFront, and Amazon Route 53 resources, customers and APN Partners can subscribe to AWS Shield Advanced. AWS also publishes and routinely updates that can help customers use AWS to build applications resilient to DDoS attacks.
enables organizations to manage access to AWS services and resources securely. Using IAM, customers and APN Partners can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge. allows customers and APN Partners to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state. allows organizations to log, continuously monitor, and retain information about account activity related to actions in AWS, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default). is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads. It monitors for activity that can indicate a possible account compromise, such as unusual API calls or potentially unauthorized deployments. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect yourpersonal data in AWS. As organizations manage growing volumes of data, identifying and protecting their personal data at scale can become increasingly complex, expensive, and time-consuming.
Amazon Macie automates the discovery of personal data at scale and lowers the cost of protecting your data. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations.
Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to personal data. Amazon Macie is certified to internationally recognized standards, such as for cloud security, for cloud privacy, and customers and APN Partners can also use Macie to continuously monitor access to their data in order to detect suspicious activity based upon access patterns.
Security by default means AWS services are designed to be secure by default. If the default configuration is used, access to resources is locked down to just the account owner and root administrator. enables customers to manage access to AWS services and resources securely. Using IAM, organizations can create and manage AWS users and groups as well as use permissions to allow and deny access to AWS resources. IAM is a feature of AWS accounts offered at no additional charge. adds an extra layer of protection on top of an AWS account’s user name and password. AWS gives customers the option of virtual and hardware MFA devices. allows customers to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience. allows customers to enable prepackaged rules which help ensure that their AWS resources are in a properly configured and compliant state. allows customers to log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure, which simplifies security analysis, resource change tracking, and troubleshooting (AWS CloudTrail is enabled on all AWS accounts by default). uses machine learning to help customers prevent data loss by automatically discovering, classifying, and protecting sensitive data in AWS. This fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks – such as sensitive data that a customer has accidentally made externally accessible.
AWS offers customers and APN Partners the ability to add an additional layer of security to their customer data at rest in the cloud and help them meet their security of processing obligations as data controllers under the GDPR. tools available on AWS include:
Data encryption capabilities available in AWS storage and database services, such as,,,,,, and Flexible key management options, including, allowing the choice of whether to have AWS manage the encryption keys or enable customers to keep complete control over keys Encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Dedicated, hardware-based cryptographic key storage using, allowing customers to satisfy compliance requirements
In addition, AWS provides APIs for customers and APN Partners to integrate encryption and data protection with any of the services they develop or deploy in an AWS environment. AWS provides specific features and services which help customers to meet requirements of the GDPR: Access Control : Allow only authorized administrators, users and applications access to AWS resources
Multi-Factor-Authentication (MFA) Fine granular access to objects in Amazon S3-Buckets/ Amazon SQS/ Amazon SNS and others API-Request Authentication Geo-Restrictions Temporary access tokens through
Monitoring and Logging : Get an overview about activities on your AWS resources Encryption : Encrypt Data on AWS
Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS) Centralized managed Key Management (by AWS Region) IPsec tunnels into AWS with the VPN-Gateways Dedicated HSM modules in the cloud with
Strong Compliance Framework and Security Standards : We demonstrate compliance with rigorous international standards, such as:
The GDPR is an EU regulation and post-Brexit, no longer applies to the UK. The UK government incorporated the requirements of GDPR into UK law as the “UK GDPR”. AWS offers a UK GDPR-compliant to the that incorporates AWS’s commitments as a data processor under the UK GDPR. The is part of the and applies automatically for all customers who require a data processing agreement to comply with the UK GDPR. The, which is part of the, includes the SCCs adopted by the EC and the international data transfer addendum (IDTA) (the Information Commissioners Office). The IDTA amends the SCCs to ensure they constitute an appropriate safeguard under the UK GDPR for international data transfers to countries outside of the UK that have not been recognised as providing an adequate level of protection for personal data (UK third countries). The confirms that the SCCs (as amended by the IDTA) will automatically apply whenever a customer uses AWS services to transfer customer data subject to the UK GDPR (UK customer data) to UK third countries. As part of the in the, the SCCs (as amended by the IDTA) will apply automatically whenever a customer uses AWS services to transfer UK customer data to UK third countries
We recommend that customers with questions regarding the GDPR contact their AWS account manager first. If customers have signed up for Enterprise Support, they can reach out to their Technical Account Manager (TAM) as well. TAMs work with Solutions Architects to help customers identify potential risks and potential mitigations. TAMs and account teams can also point customers and APN Partners with specific resources based on their environment and needs. AWS also has teams of Enterprise Support Representatives, Professional Services Consultants, and other staff to help with GDPR questions. You can contact us with questions,
: GDPR – Amazon Web Services (AWS)
Can you be both a data controller and processor?
Can you be both a controller and a processor of personal data? – Yes. If you are a processor that provides services to other controllers, you are very likely to be a controller for some personal data and a processor for other personal data. For example, you will have your own employees so you will be a controller regarding your employees’ personal data.
- However, you cannot be both a controller and a processor for the same processing activity.
- In some cases, you could be a controller and a processor of the same personal data – but only if you are processing it for different purposes.
- You may be processing some personal data as a processor for the controller’s purposes and only on its instruction, but also process that same personal data for your own separate purposes.
In particular, if you are a processor, you should remember that as soon as you process personal data outside your controller’s instructions, you will be acting as a controller in your own right for that element of your processing. If you are acting as both a controller and processor, you must ensure your systems and procedures distinguish between the personal data you are processing in your capacity as controller and what you process as a processor on another controller’s behalf.
Sharing data with a processor is not covered by the code – If a controller asks another party to process personal data on its behalf, for the purposes of the UK GDPR the other party is a “processor”, as defined in Article 4(8) of the UK GDPR. The UK GDPR draws a distinction between a controller sharing personal data with another controller, and a processor processing personal data on behalf of a controller.
- Article 28 of the UK GDPR lays down requirements that must be in place between a controller and processor, in order to protect the rights of the data subject.
- These requirements include a written contract and guarantees about security.
- Under the UK GDPR a processor must only process personal data on documented instructions from the controller.
A processor has its own liabilities and responsibilities both under the contract and the UK GDPR. This type of processing arrangement is outside the scope of this code, but further information is available on the ICO website.
What is the GDPR agreement between controller and processor?
The General Data Protection Regulation (GDPR) obliges Controllers and Processors to enter into a legally binding contract governing the processing of personal data when a controller engages a processor to process personal data on its behalf (a ‘data processing contract’).
When engaging a processor, the GDPR stipulates that controllers are obliged to use only processors which provide sufficient guarantees to implement appropriate technical and organisational measures to comply with GDPR and to protect data subject rights. There are also a number of other obligations which the GDPR imposes directly on controllers and processors in addition to any contractual obligations which they may be subject to under a data processing contract (for example, record-keeping obligations, ensuring the security of data processing etc.).
The GDPR has increased the number of provisions which must be included in a data processing contract. Article 28(3) GDPR prescribes the provisions which, at a minimum, must be included in a data processing contract. These are as follows:
- The subject matter, duration, nature and purpose of the data processing;
- The type of personal data being processed;
- The categories of data subjects whose personal data is being processed; and
- The obligations and rights of the controller.
A more detailed list of mandatory provisions is included in our guidance note. There are a number of other non-mandatory provisions which controllers and processors may wish to include in a data processing contract. Such provisions may include but are not limited to:
- Liability provisions (including indemnities);
- Detailed (technical) security provisions; and/or
- Additional cooperation provisions between the controller and processor.
Please see our Practical Guide to Controller-Processor Contracts (pdf) for more information.
Is data processor legally the same entity as the controller?
What is a data controller or a data processor? The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.
- Employees processing personal data within your organisation do so to fulfil your tasks as data controller.
- Your company/organisation is a joint controller when together with one or more organisations it jointly determines ‘why’ and ‘how’ personal data should be processed.
- Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules.
The main aspects of the arrangement must be communicated to the individuals whose data is being processed. The data processor processes personal data only on behalf of the controller, The data processor is usually a third party external to the company.
- However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
- The duties of the processor towards the controller must be specified in a contract or another legal act.
- For example, the contract must indicate what happens to the personal data once the contract is terminated.
A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorisation from the data controller.
- There are situations where an entity can be a data controller, or a data processor, or both.
- Controller and processor A brewery has many employees.
- It signs a contract with a payroll company to pay the wages.
- The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment.
The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller and the payroll company is the data processor. Joint controllers Your company/organisation offers babysitting services via an online platform.
At the same time your company/organisation has a contract with another company allowing you to offer value-added services. Those services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring. Both companies are involved in the technical set-up of the website.
In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share clients’ names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of ‘combined services’ but they also design and use a common platform.
Is a software developer a data processor?
GDPR compliance and what to expect from your development team Websites and applications handling personal data that are based in the EU or which process data on behalf of EU citizens fall under the General Data Protection Regulation (GDPR). This law came into effect on 25th May 2018.
When developing a website or application, consideration is given to how the data in the project should be handled in terms of GDPR. Something which can be overlooked is how GDPR applies to your working relationship with your software development company. This post is a very brief outline of your responsibilities when engaging a software development company and what you may need to think about when it comes to GDPR.
Under GDPR, generally speaking, you will be the controller who determines the purposes and means of the processing of personal data, Your software development company will be the processor, which processes personal data on behalf of the controller, As the controller it is your responsibility to choose a software company that provides sufficient guarantees to have appropriate technical and organisational controls in place that meet GDPR requirements.
The processor must only process data on instructions from the controller. The processor cannot use the data for other purposes If the processor is using sub contractors that they are subject to the same data protection obligations as the primary processor. There are reasonable steps taken by the processor to ensure the data is secure, such as pseudonymisation and encryption. Notify the controller if there is any data breach. Restrict personal data transfer to a third country (see below) Allow access to the relevant Data Protection Commission in the event of an investigation. The processor must keep a record of processing activities when certain criteria are met.
Having your software company based outside of the EU presents a number of challenges. The GDPR has specific requirements about transferring of data to third countries or international organisations. The EU maintains a list of countries where an “adequacy decision” has been made.
Standard data protection clauses Binding corporate rules Approved codes of conduct Approved certification mechanism
More information on international transfers can be obtained from the
What are the 6 lawful bases of data processing under the GDPR?
Guidance on Legal Bases for Processing Personal Data | Data Protection Commission One of the first questions which organisations involved in processing personal data (‘controllers’) should ask themselves before undertaking the processing is “What is my reason or justification for processing this personal data?” This is of key importance because any processing of personal data is only lawful where it has what is known as a ‘legal basis’.
- Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.
- The aim of this guidance is primarily to assist controllers in identifying the correct legal basis for any processing of personal data which they undertake or plan to undertake – and the obligations which go with that legal basis.
Additionally, this guidance should assist those individuals whose personal data may be processed (‘data subjects’) in identifying whether the processing of their personal data is lawful, and, as part of that, what the legal basis for that processing may be.
What is a data processor within the context of the EU GDPR quizlet?
The GDPR defines a data processor as ‘ a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller.’ In this context, the data controller is the person or entity that controls processing of the data.
Who does the GDPR apply to data processors?
What now? – Now that you have a better insight into who EU GDPR applies to, you can take step-by-step actions to achieve compliance and become, but also remain, an organization that takes care of its customers’ data, If you’ve realized that the GDPR applies to your organization, check out our solutions for GDPR-related issues.
Is a processor liable under GDPR?
Who is liable if a sub-processor is used? – If you are a sub-processor, you will be liable for any damage caused by your processing only if you have not complied with the UK GDPR obligations imposed on processors or you have acted contrary to lawful instructions from the controller, relayed by the processor, regarding the processing.
- If you are a processor and use a sub-processor to carry out processing on your behalf, you will be fully liable to the controller for the sub-processor’s compliance with its data protection obligations.
- This means that, under Article 82(5), if a sub-processor is at fault, the controller may claim back compensation from you for the sub-processor’s failings.
You may then claim compensation back from the sub-processor. A sub-processor may also be contractually liable to the processor for any failure to meet the terms of the agreed contract. This will of course depend on the exact terms of that contract. Processors and sub-processors should seek their own legal advice on issues of liability and the contracts between controllers and processors and processors and sub-processors.