"Concept of Data Processor: Two basic conditions must be met for a party to qualify as a Data Processor:
1) Being a separate legal person or entity to the Data Controller
2) Processing personal data on the Data Controller’s behalf
In essence, therefore, the Data Processor is expected to execute and implement the Data Controller’s instructions. A data processor may, however, at its own discretion, choose the most suitable technical and organisational means for processing without qualifying as (co-) Data Controller. The lawfulness of the processing by the Data Processor depends on the specific mandate given by the Data Controller, but a Data Processor working beyond that mandate could be viewed as assuming the responsibilities of a (joint) Data Controller. There is, of course, a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities provided that all parties are compliant.
Equally, the Opinion explicitly acknowledges pluralities of Data Processors. According to the Working Party, the Directive allows several entities to be designated as Data Processors or Data Sub-processors by subdividing relevant tasks, as far as they comply with the instructions of the Data Controller(s)." (source)
Name | Type | Cardinality | Description |
---|---|---|---|
dataProcessorName | EString | 0..1 | Specifies a textual name for the data processor. There is currently no unique naming scheme, but e.g. X.509 DNs or a XML namespace convention could be used. |
Name | Target | Containment | Cardinality | Opposite | Description |
---|---|---|---|---|---|
privacyProtectionMechanisms | PrivacyProtectionMechanism | Yes | * | Optionally specifies any privacy protection mechanisms which the data processor implements in relation to the specified use(s) of privacy-relevant information. | |
responsibleDataController | DataController | Yes | * | Specifies at least one responsible data controller who instructs this data processor to carry out processing of privacy-relevant information. | |
use | UseForPurpose | Yes | * | Specifies at least one use of the privacy-relevant information for at least one specified purpose by the data controller. |