There is no such obligation. It is controllers duty to establish legal grounds for processing and give proper instructions to processor. Processors obligation is to follow instructions. Though processor must inform controller if instructions (in processors opinion) infringes GDPR or applicable Member State laws; but even then responsibility for legality of processing is on controller. Processors liability is to follow agreement and instructions, and is is liable when it determines purposes and means of processing (i.e. steps outside controller-processor relationship).
I agree with Atis, and in my experience in many Data Controller/Data Processor agreements there are clauses that mirror the legislation and require the Data Controller to have complied with establishing legal justification for processing and to have acquired any necessary consents for the purpose. Through GDPR and normally reinforced through the data processing agreement you can only process the data on the specific instructions of the controller. There are certain responsibilities placed upon processors and these include notification of potential data protection infringements and the accountability obligations, to name a few. A processor can be held liable for non-compliance but you will not be liable if you can provide evidence that you are not responsible for any event giving rise to damage. Hope this helps.
Atis
There is no such obligation. It is controllers duty to establish legal grounds for processing and give proper instructions to processor. Processors obligation is to follow instructions. Though processor must inform controller if instructions (in processors opinion) infringes GDPR or applicable Member State laws; but even then responsibility for legality of processing is on controller. Processors liability is to follow agreement and instructions, and is is liable when it determines purposes and means of processing (i.e. steps outside controller-processor relationship).
Smurf333
I agree with Atis, and in my experience in many Data Controller/Data Processor agreements there are clauses that mirror the legislation and require the Data Controller to have complied with establishing legal justification for processing and to have acquired any necessary consents for the purpose. Through GDPR and normally reinforced through the data processing agreement you can only process the data on the specific instructions of the controller. There are certain responsibilities placed upon processors and these include notification of potential data protection infringements and the accountability obligations, to name a few. A processor can be held liable for non-compliance but you will not be liable if you can provide evidence that you are not responsible for any event giving rise to damage. Hope this helps.