Regulate the use of artificial intelligence in your company: download our AI charter template

Support
Solutions
- Offloading compliance
  Automate your GDPR obligations and free up time for your core business
  
  Managing compliance
  Stay in control of your compliance with intuitive dashboards
  
  Proving compliance
  Easily demonstrate your compliance during audits and controls
  
  Anticipating regulations
  Identify and prevent data protection risks
  
  Enhancing compliance
  Make your GDPR compliance a trusted asset and a growth lever
  
  Explore our features in detail
  
  Intuitive tools accompanied by legal support to help you achieve GDPR compliance.
  
  Read more
For whom?
- Health
  Secure your sensitive data in full compliance
  
  Human resources
  Ensure the compliance of your HR data
  
  Tech
  Develop GDPR products
  
  Finance
  Strengthen confidence through exemplary compliance
  
  Group
  Manage your multinational compliance with excellence
  
  ISE
  Your group-wide GDPR compliance
  
  SMB
  An expert outsourced DPO at the right price
  
  Startups
  Scaling serenely with your GDPR compliance
  
  Discover other sectors
  
  Dipeeo stands out for its ability to offer comprehensive GDPR solutions tailored to the specific needs of each business sector.
  
  Read more
Rates
Resources
- Practical guides
  GDPR expertise simplified into actionable guides
  
  Templates
  Ready-to-use templates to save time
  
  Client cases
  Concrete success stories that inspire compliance
  
  Webinars
  Expert sessions to deepen your knowledge
  
  Videos
  GDPR compliance explained quickly
  
  Product demos
  Explore our SaaS video
  
  Discover GDPR news
  
  Keep up to date with the latest regulatory developments and their impact on your business.
  
  See the blog
Blog
Clients
About us
- Our history
  Genesis and development of Dipeeo
  
  Talents
  Meet the team that makes Dipeeo your partner of choice
  
  Press area
  In the news
  
  Partnerships
  Discover our partners and join them
  
  Join our team
  
  Your talent, our adventure: write the next chapter with us. Join a multidisciplinary team where lawyers, developers, strategists and innovators work together to build tomorrow's solutions.
  
  View positions

processor GDPR

February 10, 2025

-

What is aGDPR processor ?

AGDPR processor in the sense of the General Data Protection Regulation is an entity that processes personal data on behalf of another entity. This means that it will handle the personal data of its clients. The Purpose this processing is to deliver a product or service on its behalf.

This is a different definition from that of classic subcontracting. According to the French Association for Standardization (Afnor)GDPR subcontracting is defined as the operation by which a contractor subcontracts, under his Accountability, to another person called a processor, all or part of the performance of a contract of enterprise or public procurement contract concluded with the client".

There is another type of relationship between parties who process shared personal data: Accountability in a case of co-processing. It is much less frequent.

Examples ofGDPR processor

Let's take the case of a Saas platform or mobile application such as Doctolib, which enables you to book an appointment with a healthcare professional. Doctolib is the healthcare professionals' processor , since it will process personal data on their behalf. Personal data (surname, first name, telephone number, e-mail address, etc.) is processed in order to schedule an appointment between the patient and the healthcare professional.
If company A makes a platform available to employees of a company B in order to provide them with a service such as concierge services, human resources managementHR) then company A is a subcontractor of company B within the meaning of the GDPR.
Some of this data is personal data. Companies offering a BOT are therefore subcontractors of the e-tailers or chains on which they provide the BOT.

What differentiates a provider from aGDPR processor ?

A technical service provider is an entity that provides or is responsible for providing a service on behalf of another structure. In other words, it provides work or a service.

It is the precise nature of the service that qualifies the service provider as a processor or not. If the service involves processing personal data on behalf of the client, the technical service provider is aGDPR processor . The processor service provider will not be audited by its client on the GDPR aspect.

GDPR processor : What is the impact on GDPR compliance?

AGDPR processor GDPR greaterAccountability the GDPR , in addition to complying with personal data rules within its structure, it must also prove this to its clients take Accountability personal data processed (see DPA in the Terms and Conditions).

A structure that is not a processor but processes personal data is obliged to be GDPR compliant or face sanctions. For a processor, it's clear that GDPR compliance is a fundamental pillar for offering its services. Its clients and prospects will only be able to work with it if it demonstrates its compliance. Indeed, as part of their GDPR compliance, they must list their processors and verify their GDPR compliance.

However, the compliance pans remain the same for aGDPR processor and aGDPR processor :

Personal information
Website compliance
Compliance of digital tools
Technical service provider compliance
Human resources
Prospecting

GDPR processor : Complying with additional rules

Certain information must be included in the T&C to indicate processor status. You will have to indicate and take Accountability in the event of a data leak on your premises. Your client cannot ensure data security or the implementation of the right GDPR processes in your tool. You will therefore have to assume this Accountability.

processor GDPR

The register of processing activities as aGDPR processor

This is in contrast to the register of processing activities as data controller, which must identify all the processing activities carried out by the organization itself.

The register as aGDPR processor must identify all categories of processing activities that are carried out on behalf of clients.

How do you manage GDPR compliance when there are multiple levels of GDPR outsourcing?

There are several levels of GDPR outsourcing . First, there's the classic case, tier 1. This is everything that the structure handles itself. For example, a billing system or a concierge service is a rank 1GDPR processor .

A Tier 1 processor can have a Tier 2 GDPR subcontractor. Indeed, the services mentioned above may have a data host. The GDPR requires you to monitor your technical processors. In this context, it is only necessary to control Tier 1 processors , i.e. your own processors. It is not necessary to check your processors'GDPR processor . It is their responsibility to do so.

processor GDPR

Is aGDPR processor audited by its clients ?

You'll be audited by your clients. As part of your clients' GDPR compliance, they are obliged to check that their service providers, processors, comply with the GDPR. They therefore carry out GDPR compliance auditsvia their internal or outsourced DPO.

This generally consists of a list of questions to answer and the GDPR compliance documents to provide to verify your structure's compliance (including your digital platform) in terms of data security and compliance with GDPR rules.

For example, the privacy policy, which informs users about the data collected, its use and users' rights, the verification of prior consent and the duration of Data retention.

A Privacy by Design report will also be requested, indicating that the application is compliant or that a corrective action plan is underway.

What are the risks for aGDPR processor ?

When a processor is not GDPR, it faces several risks that can hinder the structure's growth.

The CNIL (National Commission for Information Technology and Civil Liberties) risk is the best known. An inspection can result in a formal notice to correct any deficiencies.

But the CNIL (National Commission for Information Technology and Civil Liberties) ) risk is not the most important one today. The biggest risk comes from your prospects and clients. More and more structures are asking for proof of GDPR compliance before signing a contract. Worse! they won't even contact you if they see a non-compliant website. Your clients will also have to leave you if the GDPR audit result is bad and you don't have a compliance plan.

So if you're not GDPR compliant, you risk losing clients and your prospects will go elsewhere. So it's a drag on your company's growth.

Dipeeo