The GDPR imposes obligations on all organisations that process personal data, regardless of whether they are data controllers or data processors.
In particular, you should:
- Ask yourself if the purpose for which personal data may be collected is justified, and collect only personal data that is necessary for the specific purpose(s) envisaged;
- Keep individuals’ personal data accurate and up to date, and delete the data when it is no longer necessary;
- Respect individuals’ rights by informing them about how and why their data are processed, and allowing them to exercise their rights;
- Check if you have an appropriate legal basis for the processing of personal data. In case you intend to rely on the consent of individuals, ask for their consent before processing their personal data;
- Make sure that individuals’ personal data is handled in a secure way;
- Maintain a record of processing operations.
Data processors will have to adhere to the responsibilities set out in the controller-processor contract, and they must not process the data otherwise than according to the controller’s instructions.
More information: