6

This question is inspired by this other question: What are an employed/contracted software developer's responsibilities under the GDPR?

I wanted to understand more precisely the concept of a data processor.

Is a programmer, who writes the code for a website or an app that handles user data, considered a data processor? Or is the data processor the software itself, and the programmer is just its creator?

Is writing the software for an app that processes user data equivalent to being a data processor, or is it the software itself that fulfills this role?

Peter Mortensen
  • 195
  • 5
User8
  • 67
  • 1
  • 4

2 Answers2

18

(I work for a Data Processor, and so have to take GDPR training ever year.)

If all you are in an independent contractor who writes the software and then hands it over to someone else, you're not a DP.

If in addition to writing the software, you the independent contractor have access to the production data stored at the Data Processor (or Data Controller)'s facility, then you're also considered a Data Processor.

In that case, you'll have to sign a contract saying that you know the GDPR rules, will follow them, etc. The DC might vet and audit you.

RonJohn
  • 590
  • 4
  • 13
12

The data processor is the legal entity which operates the data processing system under orders of the data controller.

A developer is a legal entity, and a developer might provide software as a service which would make the developer the data processor, but neither writing the software nor being contracted to maintain a server makes the developer a data processor.

An example for a simple case:

  • Company A uses a digital system to manage their payroll. The data on it is, beyond doubt, personal data covered by the GDPR. Company A is handling that data in fulfillment of the employment contracts their employees have signed, so no explicit consent should be necessary.

  • After a few years, Company A decides to outsource their payroll management to Company B. Company A signs a contract with Company B which specifies that A is the data controller and B is the data processor. Company B may only handle the data as it is instructed by Company A. Company B would need no consent by the employees of Company A for the data handling, because it is just the processor.

    • For any GDPR information or deletion requests, Company B must send the data subject to A, they cannot make any decisions about the data on their own.

    • For any GDPR information or deletion requests to Company A, their answer must also cover data which A has at B as per the data processing agreement. As the controller, Company A remains fully responsible for the data.

    • Company B would still be responsible for meeting the the terms of their contract with A, which presumably specifies that B applies reasonable technical and organizational measures to safeguard the data, for instance. So when a security patch for their operating system comes around, it is up to B to install it without being told by A to do so.

o.m.
  • 22,932
  • 3
  • 45
  • 80