Will processors have to fulfill the same compliance obligations, meet the same legal requirements, and have the same sanctions for not complying with the GDPR as controllers do?
Under the GDPR, processors must adhere to more compliance obligations and legal requirements compared to the current regulatory framework, but not to the same extent as that which are required of the controllers.
For example, processors will have to implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk, designate a data protection officer, satisfy the conditions of transfers of personal data to a recipient in a third country or an international organization under very similar conditions to the ones that apply to controllers.
Processors will have to keep records of their processing activities, but the information to be included in such records differs from the records to be kept by the controller.
Privacy impact assessments or notification of personal data breaches will remain the main responsibility of the controller, even though the processor will have to assist in complying with obligations pertaining to such assessments and data breaches.
Sanctions for violations of the GDPR are the same for both controllers and processors, but the application thereof will of course depend on the circumstances of each individual case, including the degree of responsibility of the controller or processor for the violation at stake.
Stibbe, together with Chiomenti, Cuatrecasas, GIDE and Gleiss Lutz, have gathered this useful information, reflecting some common misconceptions about the implementation of the GDPR.