Data processors are processing data on behalf of the controller. You need to ensure that your processors are GDPR compliant.
Generally, data processors are only allowed to process personal data on documented instructions (=contract) from the controller. The processor also has to ensure that through technical and organisational measures.
Record of processing activities for data processors
- Name and contact details of processor, if applicable: data protection officer
- Name and contact details of controller (and representative and if applicable: data protection officer) for whom the data is processed
- Categories of processing activities that are processed on behalf of the controller
- Transmission of data to 3rd countries or international organisations
- if data is transmitted: documentation of guarantees that process is EU GDPR-compliant
- General description of TOMs (technical and organisational measures)
If a processor engages another processor or subcontractor, the controller needs to be informed prior to and has to confirm the processing activity.