We are a charity that uses software to keep names and addresses of it's members. Email addresses and Emergency Contacts. We use a piece of software that is NOT cloud based. It is installed on the Secretaries pc. The software provider CANNOT see any data, access it, they do not store it.
Are they a Data Processor? Do we need a DPA? Once we download the software everything is on our own pc, encrypted, password protected etc. We store everything and enter all data ourselves
Art. 4 (8) of the GDPR defines what a data processor is:
A ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
As your software supplier does not process any data (no access, no storage, etc) they are not a processor. You therefore do not need a Data Processing Agreement.
Your charity is a controller according to the GDPR art.4 (7).
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data [...]
As a controller, you are responsible for all the requirements stated in the GDPR.
To be a data processor, you'd need to process data. They don't. So they can't be a data processor.
Even if the database is offline, there's processing, collecting and managing Data going on by the charity or different branches of it. As such, they have to follow the whole GDPR and figure out if they are a controller or if they have controller and processor sub-branches. It's highly advised to get a GDPR specialist lawyer to figure out the requirements.
For example, a supplier of database or spreadsheet creation software, with which a buyer can create databases or spreadsheets on their own computer in which the buyer stores personal data. This supplier has no interest in the data, it is not given that data, it has no access to that data, it is not instructed to process that data, it makes no decisions about that data, the data's purpose or lawful basis.
This supplier is not a GDPR data processor with respect to that data.
