What responsibilities do I have as a processor?

The Autoriteit Persoonsgegevens (AP) also supervises processors. You also have a number of specific obligations under the General Data Protection Regulation (AVG), including:

- You must fully comply with the instructions given to you by the controller for processing personal data. Unless those instructions violate the law. Are you not following the other organization's instructions? Then the AVG considers you a data controller with corresponding obligations.

- As a processor, you must have a processor agreement. A processor agreement allows you to justify that you may process personal data and in what manner. You can then invoke the basis of the controller.

- You must adequately secure personal data.

- As a processor, you may only outsource personal data to sub-processors if you have written consent from the controller. The subprocessor must provide at least the same level of data protection.

- Do you have a data breach involving the personal data you process on behalf of another organization? Then it is your duty to inform the controller as soon as possible. The latter in turn has a duty to report certain data breaches to the AP within 72 hours. And sometimes a processor-responsible party is also obliged to inform the persons involved.

- As a processor, you also have an accountability obligation under the AVG. For example, depending on the size of your organization, you must appoint a data protection officer (FG). Or keep a processing register.