Skip to main content

To be or not to be (a processor). That is the question.


In the case of a service provider that is not contracted by a controller to process personal data on its behalf but may gain custody of the controller’s personal data incidentally to the core services provided, should a contract with the controller-processor clauses required under GDPR Article 28 be drawn up?

In the run-up to the GDPR date of 25 May 2018, many of us received email requests to consent to processing – mostly to opt in to direct marketing. Many organisations also faced a wave of contract addenda adding new “GDPR clauses” to existing contracts because they were considered processors. 

In many cases, the addenda were necessary to comply with Article 28 of the GDPR. However, some service providers were overwhelmed by the sheer volume of clauses in these addenda in the context of the limited processing of personal data that was carried out.

There has been detailed analyses published to determine in which circumstances a service provider should be considered a controller or a processor. The Working Party 29 opinion  of 2010 is a definitive reference. However there are cases where the controller is contracting a service provider for services that do not involve “data processing” but during the provision of the service, there may be instances where personal data may be “processed” under the GDPR definition of “processing”.

An example is an IT hardware supplier who may be required to patch a router or a server or to carry out a repair or to trouble-shoot a fault. The supplier would be granted access to the device. In some cases, the supplier will need to take custody of the device. If the device stores any personal data, the supplier may be “processing” since the GDPR definition of processing includes “storage”.

The objective of the processor obligations under the GDPR are there to "avoid situations whereby processing by a third party on behalf of the controller of the file has the effect of reducing the level of protection enjoyed by the data subject." [Council of Europe Convention 108 ] To this end, in the scenario of the IT supplier, the mere custody of a device is enough to imply an obligation to safeguard that device against damage, theft or misuse. That obligation is not dependent on the case where it contains personal data. If it did, the consequences of theft or misuse would have more significant consequences than if it did not.

In the example, whether there should be controller-processor contract clauses with the IT supplier could hinge on whether the IT supplier gets custody of the device or when he is asked to perform some service that falls within the GDPR definition of “processing”. In practice, what often happens is that those clauses do get included is maintenance contracts or in the small print of a service sheet “just in case”. 


Article provided by: George Sammut - Founder/Member, Malta IT Law Association

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.