What is a “processor”?

A “processor” is a natural or legal person, public authority, agency or other body that processes personal data on behalf of a controller. They act on the instructions of the controller.

Where a pharmacy is acting as a processor or instructing a processor to process data on its behalf, it must ensure that it adheres to the requirements required by the UK GDPR.

Where you are acting as a processor, the UK GDPR stipulates the minimum requirements that should regulate the relationship between you and the controller. It is important that you have in place the relevant contractual requirements.

These should include:

• The requirement that you can only process personal data according to the controller’s instructions, unless otherwise required by law. Note that if you act outside your instructions or process the data for your own purposes, you will step outside your role as a processor and become a controller for that processing (Article 29)
• Restrictions on engaging other processors (Articles 28(2) and 28(4))
• Requirements to implement appropriate technical and organisational measures to secure personal data (Articles 28(1) and 32)
• Requirements for data breach notification (Article 33(2))
• Requirements to appoint a UK representative in certain situations (Article 27)
• Requirements to appoint a data protection officer in certain situations (Article 37)
• Restrictions on transferring personal data outside the UK (Articles 44-49)
• Record keeping requirements (Article 30(2)).