So Many Confusing Terms! Is a service provider (CCPA) really the same thing as a processor (GDPR)?
Friday, January 22, 2021

No.

The European GDPR does not use the term “service provider” and, instead, refers to “processors.” While processors within the GDPR are defined in a similar manner to service providers under the CCPA, the GDPR is far more proscriptive regarding the contractual terms that must be present in a processor agreement. Specifically, the GDPR requires that a controller and a processor clearly set forth the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data involved, the categories of data subjects involved, the obligations and the rights of the controller, and the following substantive provisions:

  1. Documented Instructions. The processor will only process personal data consistent with the controller’s documented instructions.[1]

  1. Confidentiality. The processor must ensure that persons authorized to process personal data have committed themselves to confidentiality.[2]

  1. Processor Security. The processor must implement appropriate technical and organizational measures to secure the personal data that it will be processing.[3]

  1. Subcontracting authorization. The processor must obtain written authorization before subcontracting, and must inform its client before making any change to its subcontractors.[4]

  1. Subcontracting flow down obligations. The processor must flow down its contractual obligations to its sub-processors.[5]

  1. Subcontracting liability. The data processor must remain fully liable to the controller for the performance of a sub-processor’s obligations.[6]

  1. Responding to data subjects. The data processor must assist its client to respond to requests by a data subject.[7]

  1. Assisting Controller in Responding to Data Breach. The data processor must cooperate with its client in the event of a personal data breach. [8]

  1. Assisting Controller in Creating DPIA. The data processor must cooperate with its client in the event the client initiates a data protection impact assessment.[9]

  1. Delete or return data. The data processor must delete or return data at the end of the engagement.[10]

  1. Audit Right. The data processor must allow its client to conduct audits or inspections for compliance to these obligations.[11]

  1. Cross-border transfers. The data processor must not transfer data outside of the European Union without permission from its client, the data controller.[12]

In comparison, in order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”[13] and only be prohibited by contract from:

  1. Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[14]

  2. Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[15] or

  3. Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”[16]

Note that the CPRA incorporated some, but not, all of the additional processor requirements mandated by the GDPR. For example, the CPRA requires that a service provider must flow down its contractual obligations to subcontractors.[17]


[1] GDPR, Article 28(3)(a).

[2] GDPR, Article 28(3)(b).

[3] GDPR, Article 28(1), (3)(c); GDPR, Article 32(1).

[4] GDPR, Article 28(2), 28(3)(d).

[5] GDPR, Article 28(3)(d) Art. 28(4).

[6] GDPR, Article 28(3)(d).

[7] GDPR, Article 28(3)(e), GDPR, Article 12-23.

[8] GDPR, Article 28(3)(f); GDPR, Article 33-34.

[9] GDPR, Article 28(3)(f); GDPR, Article 35 – 36.

[10] GDPR, Article 28(3)(g).

[11] GDPR, Article 28(3)(h).

[12] GDPR, Article 28(3)(a); GDPR, Article 46

[13] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[14] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[15] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[16] Cal. Civ. Code 1798.140(v).

[17] Cal. Civ. Code 1798.140(ag)(2).

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins