GDPR Misconception No. 9: Everybody is a Processor

This post is also available in: Deutsch (German)

Translated with

The EU legislator has allowed itself a disservice with the definition, or rather “non-definition”, of the term “processing”. Why is this so important? As soon as a data controller transfers data in any form to a third party for processing, he or she must impose on the third party the obligations that he or she has assumed. That seems plausible, but the devil is also in the detail here. According to most data protection authorities, processing already exists if someone could hypothetically access the data.

The storage of encrypted data by a contractor/sourcing company whose key is known only to the person responsible is regarded as processing.

This is identical to anonymising data, but anonymised data is not considered personal data and therefore does not fall under the GDPR! Processors are also not providers of telecom services, which are already regulated by telecom legislation (and therefore have an obligation to keep records). In the interest of the supervisory authorities, data protection is consistently undermined here. For public authorities, processing is possible even if only temporary access to the data takes place.

Example: A dedicated server stack is operated in a computer center; only the customer has admin rights; in an emergency, however, the data center operator can shut down the servers and intervene using special procedures. Thus he already becomes a processor from the point of view of the authorities.

The extensive definition of “processing” increases the risks.

Such regulations are absurd and will lead to creative solutions for circumvention. One should have limited oneself to addressing possible confidentiality losses in the context of order processing. Data protection is not primarily about availability, this is secondary. Also the processing definition shows: Information security was not understood as a fundamental principle (cf. MC 6). It is of little use to try to define as many contractual partners as possible as processors. This makes control impossible or uneconomical for the responsible party (or processor, because the chain is basically endless) – the risks increase instead of decrease. In addition, it leads to absurd chains of subcontractors and to declarations of consent that nobody understands anymore. I am sure that there are processes in which the processing chain “bites its tail”.

Verbinden wir uns!

Oh, hallo 👋
Schön, Sie zu treffen!

Mein Newsletter mit aktuellen Sicherheitsfragen und Themen rund um die Datenstrategie. Bitte melden Sie sich hier an.

Wir senden keinen Spam! Erfahre mehr in unserer Datenschutzerklärung.

Leave a Reply

Your email address will not be published. Required fields are marked *