First fine imposed on a data processor under GDPR

Derby Office Icon

The first fine against a data processor under the General Data Protection Regulation 2016 (“GDPR”) has been imposed by an EU data protection authority.

Although the non-compliance took place in Italy and the fine was only for EUR 50,000, it’s a timely reminder to data processors here in the UK of their direct statutory obligations under the new data protection regime.

Prior to the GDPR, the position in the UK (and most other EU Member States) was that only data controllers were subject to statutory obligations under data protection law. Data processors, on the other hand, were not at risk unless they breached their obligations under contract law (i.e. any contractual data protection obligations imposed upon them by the data controller).

The GDPR changed all this this by imposing certain direct statutory obligations on data processors at an EU-wide level. This means that data processors, as well as data controllers, are subject to the GDPR’s enforcement regime (including the potentially eye-watering fines). It also means that data subjects may be able to bring direct claims for compensation against data processors.

The main statutory obligations that apply to data processors under the GDPR are:

  • Data processors must only process personal data in accordance with the data controller’s instructions (unless otherwise required by law). If a data processor acts outside its instructions, it will become a controller for the purposes of that processing.

  • Data processors must enter into a binding contract with the data controller and that contract must contain certain mandatory provisions.

  • Data processors must not appoint a sub-processor unless they have the authority of the data controller to do so. Also, any contract with a sub-processor must include contract terms that offer an equivalent level of protection for the personal data as those in the contract between the data processor and the data controller.

  • Data processors must implement appropriate technical and organisational measures to ensure the security of personal data (taking into account, in each case, the level of risk involved in the processing).

  • Data processors must notify the data controller of any personal data breaches without undue delay.

  • Data processors may be subject to obligations to keep records of processing and/or appoint a data protection officer. Both these requirements only apply if certain criteria are met.

  • Data processors can’t transfer personal data outside the EEA unless the transfer (i) is authorised by the data controller and (ii) complies with the provisions of the GDPR relating to international transfers of personal data.

In the Italian case, the data processor’s non-compliance related to a failure to implement appropriate technical and organisational security measures to protect personal data. The Italian data protection authority (the Garante) had issued specific instructions regarding the security measures that the data processor needed to put in place and issued the fine when the data processor failed to comply. Interestingly, the Garante only fined the data processor, not the data controller.

If you’d like more information about the direct statutory obligations imposed on data processors under the GDPR or if you need guidance to work out whether your business is acting as a data processor, please contact a member of our Commercial Team.




Meet the new Geldards Trainees for 2019
This month we welcomed our latest cohort of Trainee Solicitors to Geldards. Seven new trainees, both existing Geldards employees and brand-new faces, will complete their two-year training contract with the firm.


Leaving a Legacy
24th September 2019
We are pleased to announce that our 3rd annual All-Wales Charity Governance, Law and Finance Conference will be held on Tuesday 24th September 2019 at the All Nations Centre, Cardiff.


Thoughts from Europe - a MIPIM blog
I am European, I feel European. Grinding my way around the major assembly that is the world at MIPIM, it’s such a reminder that even Europe is not the centre of most people’s universe.


Salus – Wealth and Family Protection
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.


Chris Williams


Partner, Cardiff

+44 (0)2920 391 877


Michelle Craven-Faulkner


Partner, Derby

+44 (0)1332 378 391