Data Processor - a quick reference guide

Entrusting the processing of personal data, processor assessment, risk of potential breaches and incident prevention - what should a data controller focus on when selecting and working with a processor?


Today, entrusting the processing of personal data to a processor is an everyday occurrence. Many business processes could not take place if such entrustment did not occur.  However, data controllers often forget that their obligations do not end with the signing of a contract and the transfer of data.

According to Article 5(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)(hereinafter: RODO), it is the controller who is responsible for the processing of data in accordance with the applicable law and must also ensure that it can be "held accountable" for this obligation.

In contrast, according to Article 28 of the RODO, the controller may only entrust data processing to entities that provide "... sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and protects the rights of the data subjects."

Assessment of the processor

Therefore, when signing a data entrustment agreement, the most important aspects of which are described in Article 28(3) RODO, the controller should not assume a priori that a given entity meets such guarantees. The signing of the contract should be preceded by an appropriate examination which will allow to answer the question - whether the entity to which we want to entrust the processing of personal data has actually implemented adequate measures to ensure the security of data processing.

As indicated by the European Data Protection Board (hereinafter: EDPS) guideline No. 7/2020, the assessment of the warranties provided by the processor is a kind of risk assessment and may take place through the disclosure of relevant documentation, e.g.:

It is clear that such an assessment should not be performed for multiple processors at once. Each time, the controller must take into account the specific individual facts and, what data the entity will be processing, etc.

The EROD in the aforementioned guidance indicates that in the framework of this assessment, the controller should, in addition to the aforementioned documentation, also take into account:

As emphasised by the EROD and followed by the Office for the Protection of Personal Data (hereinafter: the DPA), data processing is a process. Thus, a controller must not, after signing a processing contract, fail to perform audit and verification activities against the processor. Such activities should be performed at appropriate intervals. However, it is up to the controller, who assesses the risks involved in the processing, how often to undertake activities in relation to the processor and how to verify the processor's activities and guarantees.


It is also worth pointing out that in case of personal data breaches involving a processor, it is necessary to audit the processor, to develop with the processor, if appropriate, new conditions for data processing, new technical or organizational measures. The controller and the processor should especially in such circumstances work closely together.

Finally, if the processor does not provide sufficient guarantees for improvement, the controller should consider the justification for terminating the cooperation with them.


The remedial measures taken by the processor, or the changes or corrections recommended by the controller, should be reasonable and appropriate to the manner and nature of the breach that occurred.

The controller should also not assume that its recommendations have been implemented. The lack of oversight of such a process may, in the future, prove to be a major problem for the controller itself, as it is responsible for the data being processed.

In the context of violations, and thus the possible interest of the Office for the Protection of Personal Data (UODO), controllers should also bear in mind that the supervisory authority may require the controller to demonstrate the conclusion of the entrustment agreement and answer the question whether and how it checked the processor before signing the agreement, and finally, what further steps, if any, it took within the cooperation to ensure the security of the processing.

Failure to comply with the requirements indicated in the RODO, within the framework of the data entrustment, exposes the controller to financial penalties, adequate to the degree, nature and gravity of the breach.

Author: Anna Jędrasiak, attorney-at-law



ul. Odyńca 7/13
02-606 Warsaw


We share our expertise and experience. Be the first to know about our initiatives, meetings with the Law Firm's specialists and changes in law that are relevant to your industry. We encourage you to read and subscribe to our newsletter.

By filling in the above field, you agree to receive a newsletter from Kancelaria Radcy Prawnego Monika Macura by e-mail. The consent may be withdrawn at any time. Personal data of persons subscribing to the newsletter are processed in order to send information about the Law Firm's offer by e-mail. Read the rules for processing your personal data.