Article 21*

Article 21 – Processor

Commission Proposal

1. Member States shall provide that where a processing operation is carried out on behalf of a controller, the controller must choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of the provisions adopted pursuant to this Directive and ensure the protection of the rights of the data subject.2. Member States shall provide that the carrying out of processing by a processor must be governed by a legal act binding the processor to the controller and stipulating in particular that the processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited.3. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 20.

EDRi’s Proposed Amendment

1. Member States shall provide that where a processing operation is carried out on behalf of a controller, the controller must choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of the provisions adopted pursuant to this Directive and ensure the protection of the rights of the data subject.2. Member States shall provide that the carrying out of processing by a processor must be governed by a legal act binding the processor to the controller. These acts shall in particular stipulate that the processor shall: and stipulating in particular that the processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited.

(a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
(b) employ only staff who are under a statutory obligation of confidentiality;
(c) take all required measures to comply with the provisions adopted pursuant to Article 27;
(d) enlist another processor only with the prior permission of the controller;
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
(f) assist the controller in ensuring compliance with the provisions adopted pursuant to Articles 27 to 29;
(g) hand over all results to the controller after the end of the processing and not process the personal data otherwise;
(h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.
(i) take into account the principle of data protection by design.

2a. The controller and the processor shall document in writing the controller’s instructions and the the processor’s obligation referred to in paragraph 2.

3. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 20.

Justification

The Commission proposal contains less detailed rules than the equivalent Article 26 of the proposed General Data Protection Regulation. This is unacceptable given that data processed in the scope of this Directive are often of a sensitive nature. The proposed amendment takes language from the proposed General Data Protection Regulation (including EDRi’s proposed amendments to theose provisions) and adapts it to the Directive.

  • eu logo The launch and upkeep (until December 31, 2012) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: