Why is the IT service provider a processor?

GDPR significantly influences how organizations handle personal data. In addition to the company’s employees who work with the data directly, it is important to pay attention to external entities that may gain access to the data while performing their services.

A typical example is an IT service provider who ensures maintenance, service, technical support, or management of information systems.

Many employees, as well as some suppliers, do not realize that the mere possibility of accessing personal data means that the supplier becomes a data processor under GDPR. Therefore, it is important to understand why this is the case and what implications it has for our organization. 

According to Article 4 of the GDPR: - ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

According to GDPR, a data processor is an entity that:

• processes personal data on behalf of the controller,
• and acts on the controller’s instructions.

This means that if an external company performs any activity during which it can see, obtain, or process personal data— even indirectly during maintenance— it automatically falls into the category of processors.

When providing IT services, situations may arise where an IT specialist:

• resolves an issue in a database,
• performs system maintenance,
• diagnoses an error,
• has remote access to a system,
• updates software or configures settings,
• backs up data or restores a backup,
• performs data migration.

In these cases, the IT specialist may — at least potentially — access personal data stored in the system. And that is entirely sufficient for GDPR to classify the provider as a data processor. GDPR considers even the possibility of access to personal data as processing.

Therefore, IT support providers are subject to the same rules as any other entity that processes data on behalf of a controller.

The European Data Protection Board (EDPB), in its Guidelines 07/2020, notes that a service provider may act as a processor even when personal data processing is not the main purpose of the support service, but it is necessary for the IT service provider to have systematic access to personal data while performing the service.

A third party under GDPR is an entity that:

• has no role in processing personal data,
• and does not receive or have access to the data from the controller.

Since an IT provider supports the system in which the data is stored, it is part of the processing chain. Therefore, from a legal perspective, it cannot be considered a third party.

An IT service provider with potential access to personal data is a data processor under GDPR.

You must conclude a Data Processing Agreement (DPA) with the IT provider in accordance with Article 28 of the GDPR. This legal act must be in written form, including electronic form. A written agreement under Article 28(3) may be part of a broader contract, such as a Service Level Agreement (SLA). To facilitate demonstrating compliance, the EDPB recommends that all Article 28 elements be clearly identified in one place (e.g., in an annex).

The agreement must include at least:

• the nature and purpose of the processing,
• the type of personal data and categories of data subjects,
• the obligations and rights of the controller,
• security and organizational measures,
• confidentiality requirements,
• audit and inspection rules,
• conditions for sub-processors,
• incident notification rules,
• the duration of the processing.

The controller must use only those processors who provide sufficient guarantees that they will implement appropriate technical and organizational measures so that processing complies with the GDPR, including security requirements, and protects the rights of data subjects. The controller is responsible for assessing the adequacy of the guarantees provided by the processor and must be able to demonstrate that all relevant factors were considered.

When assessing sufficient guarantees, the controller should consider:

• the processor’s expertise (e.g., technical knowledge of security measures and breach handling),
• the processor’s reliability,
• the processor’s resources. 

Following these principles protects the organization from mistakes, incidents, and sanctions, and ensures that personal data is processed professionally and securely.

Remember:

• The obligation to use only processors offering “sufficient guarantees” is continuous. It does not end once a contract is signed. The controller should periodically re-evaluate the processor’s guarantees — if necessary, through audits.
• External IT workers must not be treated as “colleagues” in the GDPR sense — they are external entities with a special security regime.

When external IT specialists work with systems, strict rules must be followed to ensure the protection of systems and the personal data they process. Employees must adhere to these principles:

1. Limit access for external technicians to the minimum necessary
   Grant only the access rights needed for a specific intervention (principle of least privilege).
2. Every remote access must be secured with MFA
   Remote access to the network or system must be protected by Multi-Factor Authentication to prevent unauthorized access.
3. Every remote access must be pre-approved
   External IT specialists may access systems only after formal approval by an authorized person (e.g., IT administrator or security manager).
4. Monitor and log all access to networks and information systems
   Log the time, IP address, used accounts, and actions performed by external technicians.
   Logs are essential for audits, incident analysis, and verifying compliance.
5. After every intervention, request a work report
   The external technician must provide a report detailing:

   - tasks performed,
   - systems accessed,
   - whether personal data was accessed,
   - recommendations or changes made during the intervention.

   The report must be stored in the intervention records for audit purposes.

IOSEC