In September 2017, the French Data Protection Authority, the CNIL, published a guide for data processors, which lists the responsibilities and obligations of the processor under the General Data Protection Regulation (GDPR):

  • Processors are required to comply with specific safety, confidentiality and documentation requirements. They must take data protection into account by design and by default for each service or product and put in place measures to ensure optimal data protection.
  • Processors have an obligation to provide advice to clients on whose behalf they process data. They must assist them in the implementation of certain obligations of the GDPR (privacy impact assessment, data breach notification, security and contribution to audits).
  • Processors, except SMEs, will be required to keep a record of processing activities performed on behalf of their clients.
  • In some cases, they should appoint a data protection officer under the same conditions as a data controller.

The guide also offers model clauses between the controller and processor pending the publication of new Standard Contractual Clauses.