What Is A Third Party Processor?

Alex Franch
March 20, 2023

Table of Contents

When you use advertising tools such as a facebook pixel or when you rely on third-party payroll software, you inevitably allow these service providers to collect and process personal data for your business operations. Under the GDPR, a service provider like this is called a “third-party processor”. 

When you use these third-party processors, you need to comply with the specific obligations set by the UK GDPR such as signing a data processing agreement with them. If you fail to comply with the GDPR, you may get slapped with penalties and regulatory action.

For instance, the French Data Protection Authority imposed a €1.5m fine on a software publisher “Dedalus”. One of the violations found was the non-compliant data processing agreement because this agreement did not contain the necessary elements. 

In this article, we will walk you through who third-party processors are, GDPR obligations to lawfully use these processors, and how you can comply.

To eliminate GDPR risks related to third-party processors, keep reading!

What is a third-party data processor?

Think about when Amazon sells  goods though their website. When customers place an order, Amazon will collect their personal data such as their names, email addresses, credit card information, and physical delivery addresses.

Therefore, Amazon business will be deciding what information to collect, how to collect it, and where to store the data and for how long. Under the UK GDPR, this Amazon is a “data controller”. 

However, this business will likely rely on third party tools when selling goods online.. For example, it may use a third-party cookie on its website to store products placed in shopping baskets by customers. Furthermore, it can also use third-party processor like Stripe to p to process payments made.

In these instances, these third parties don’t make any decisions how personal data will be used, they just process this personal data under the instructions of the data controller. 

These third-party service providers are called third-party processors under the UK GDPR.

Under the UK GDPR, a third-party processor is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This processor signs a data processing agreement with the controller and this agreement includes rules about how data will be collected and used.

Put simply, Amazon, the online business that sells goods online (the data controller) decides on what data to collect and how to use, process and retain such data. A third-party processor such as payment processor (like Stripe) or cookie provider  carries out processing activities on this data under the instructions of this data controller.

Processors vs joint controllers vs sub-processors

In the section above, we explained the difference between the data controller (Amazon) and the third-party data processor (Stripe).

Alongside third-party processor, there may be other parties that may collect and process personal data. 

Processors and Third Parties

Let’s now examine these other parties to understand the difference between third-party processor and other  parties.

  • Joint controller: Joint controller is a third party data controller that exercises joint control over the purposes and means of data processing activities.  For example, when you operate a facebook page, your business and Facebook are “joint controllers”. In this case, Facebook and your business signs a “Joint Controllership Agreement
  • Sub-processor:  When a third-party processor processes personal data on behalf of a data controller, it can use other third parties’ services and allow these third parties to access and process data controller’s personal data. Processors engaged by the third-party processor are called “sub-processor”. For example, when a website uses google analytics on its website, google becomes its third-party processor. Google may store data collected through google analytics on a cloud provided by another company. This cloud provider is a sub-processor. Third-party processor and sub-processor signs a data sub-processing agreement, which is separate from the data processing agreement entered into between the data controller and third-party processor.

What is required when a third-party company processes personal data?

Under the UK GDPR, the data controller bears ultimate responsibility and this covers third-party processors it uses as well. Therefore, the data controller should engage third-party processor in compliance with the GDPR requirements.

Full compliance can only be achieved by having a complete, accurate and up-to-date picture of all third-party processors, how they operate, what data they processes and where and how they store data. 

Therefore, you need to do the following to identify third party processors and implement appropriate measures.

  • Identify all the third-party processors you use: as a company you will use different processors, you have to ensure that they are GDPR as well, so keep a complete and up-to-date list of all the third-parties you engage with.
  • Data mapping: You need to map how data flows across your organisation, from its collection to its deletion (including the data that goes to your third-party processors).

Sign Data Processing Agreements Under the UK GDPR, your data processing agreement with your third-party processors must contain specific clauses. Furthermore, your processors must enter into data sub-processing agreement with their subprocessors. Furthermore, these sub-processing agreements must include the same obligations in your data processing agreement.

How to ensure your third-party processors meet the requirements of the GDPR

Under the UK GDPR,  data controller bears full responsibility for its processors’ compliance with the GDPR. Therefore, you need to implement appropriate measures to ensure that your processors processes personal data in compliance with the GDPR.

The key to ensuring your processors are compliant with GDPR is by signing a Data Processing Agreement (DPA) with your processors.. As data controller, this is a legal requirement as per Article 28 of the GDPR. This Data Processing Agreement must include specific terms. 

This agreement must at least address the following issues:

  • Instructions: Processor will process data only on documented instructions from the data controller
  • Duty of confidentiality: Processor muse ensure that any third party that processes personal data will be subject to confidentiality obligation
  • Security measures: Processor must implement all necessary security measures as required under article 32 of the GDPR.
  • Sub-processors: The processor should not engage another processor (a sub-processor) without the controller’s prior specific or general written authorisation
  • Data subject rights: Processor shall help controller effectively satisfy data subject requests such as access requests.
  • Assistance to controller: Third-party processor shall provide assistance to controller to help with various GDPR compliance matters.
  • End of the processing agreement: The agreement shall state that the third-party processor will delete data upon the end of the agreement.

In addition to having a DPA, you should also find out about the following to identify and minimise risks:

  • Where and how does the third-party processor store personal data?
  • Is there a notification procedure for overseas transfer of personal data ?
  • Are there appropriate security controls in place to identify and minimise risks?
  • Is there a breach response procedure in place?
  • Is there an international data transfer? For example, if your processor is located in united states or if it uses sub-processors such as Amazon Cloud to store data, you need to comply with international data transfer requirements under the GDPR.

If you act mainly as a data processor, you will need a standard data processing agreement that you sign with each of your clients. For instance, Hubspot mainly provides services as a data processor and it has a standard data processing agreement you can find here

Consequences of non-compliance with the GDPR processing regulations

If you fail to map all your data flows and identify your third-party processors, you will not be able to enter into data processing agreements with them. What is more, you will not be able to assess and minimise risks related to your third-party processors.

When you fail to comply with these obligations under the UK GDPR, you may face the following fines:

  • An individual may sue you, the data controller, at court for damages
  • The UK Data Protection Authority (“ICO”) may impose a fine up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

To avoid these GDPR fines and to benefit from the services of third-party processors, you need a practical tool that can map your data, identify your processors and create appropriate agreements.

This is why you should give Privasee a chance to help you satisfy these GDPR compliance requirements:

With Privasee, you can:

-Mapping your active cookies: The Privasee portal takes your personal data map and creates policies/cookie banners from this information.

- Mulitiple Languages support: If your website is accessible to users in third countries that speak other language, you should have your cookie policy in those languages as well. Privasee’s policy helps you have it in multiple languages.

-Create your data processing agreement: Privasee enables you to create your custom data processing agreement that you can use with all your customers thanks to its Dta processing Agreement generator.

To comply with the GDPR requirements without expending excess resources, try Privasee Platform here.

Key Takeaways & Wrap Up

In this article, we have helped you understand the following:

  • Third-party processor is an individual or a legal person that processes personal data under the instructions of a data controller. This processor is in a direct relationship with the controller and  acts in this controller’s interest.
  • Data controller and procesor must enter into a data processing agreement under article 28 GDPR and this agreement must include specific terms such as handling of data subject requests and appropriate security measures.
  • To use third-party processors in compliance with the GDPR, you need to map all data flow and identify your third-party processors.

Alex Franch is the co-founder and CEO of Privasee. With a background in computer science and cybersecurity, it is no surprise that he is a highly analytical problem solver; now putting these skills to use within the data privacy space. Alex is passionate about GDPR, and productivity and spends a lot of time doing sports as he values the importance of having a work-life balance. He is excited to help businesses generate documentation, and become and maintain GDPR compliance through the Privasee platform.

Get Compliant in <1 Hour

Are you Fully GDPR Compliant?

Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.