6

This question is inspired by this other question: What are an employed/contracted software developer's responsibilities under the GDPR?

I wanted to understand more precisely the concept of a data processor.

Is a programmer, who writes the code for a website or an app that handles user data, considered a data processor? Or is the data processor the software itself, and the programmer is just its creator?

Is writing the software for an app that processes user data equivalent to being a data processor, or is it the software itself that fulfills this role?

Improve this question
1
  • 5
    Is a blacksmith who manufactures a set of chisels therefore a sculptor? I suppose there are issues of fitness for purpose, but I don't see how the manufacturer of a software tool can be considered a data processor by virtue of having manufactured it.
    – phoog
    Commented Oct 28, 2023 at 17:50

2 Answers 2

Reset to default
18

(I work for a Data Processor, and so have to take GDPR training ever year.)

If all you are in an independent contractor who writes the software and then hands it over to someone else, you're not a DP.

If in addition to writing the software, you the independent contractor have access to the production data stored at the Data Processor (or Data Controller)'s facility, then you're also considered a Data Processor.

In that case, you'll have to sign a contract saying that you know the GDPR rules, will follow them, etc. The DC might vet and audit you.

Improve this answer
2
  • "have access to the production data" what does that mean in this context? Over the years I have at least in theory "had access to" a number of servers and databases that I never actually looked at (verified by access logs of same). Is the fact that I could look at it enough to change my status?
    – Jared Smith
    Commented Oct 30, 2023 at 11:27
  • 4
    @JaredSmith just logs is tricky, since they don't usually have user data in them. Read access to the database, though, might make you a Data Controller or Data Processor, depending on who you're working for (even as a subcontractor).
    – RonJohn
    Commented Oct 30, 2023 at 13:31
12

The data processor is the legal entity which operates the data processing system under orders of the data controller.

A developer is a legal entity, and a developer might provide software as a service which would make the developer the data processor, but neither writing the software nor being contracted to maintain a server makes the developer a data processor.

An example for a simple case:

  • Company A uses a digital system to manage their payroll. The data on it is, beyond doubt, personal data covered by the GDPR. Company A is handling that data in fulfillment of the employment contracts their employees have signed, so no explicit consent should be necessary.

  • After a few years, Company A decides to outsource their payroll management to Company B. Company A signs a contract with Company B which specifies that A is the data controller and B is the data processor. Company B may only handle the data as it is instructed by Company A. Company B would need no consent by the employees of Company A for the data handling, because it is just the processor.

    • For any GDPR information or deletion requests, Company B must send the data subject to A, they cannot make any decisions about the data on their own.

    • For any GDPR information or deletion requests to Company A, their answer must also cover data which A has at B as per the data processing agreement. As the controller, Company A remains fully responsible for the data.

    • Company B would still be responsible for meeting the the terms of their contract with A, which presumably specifies that B applies reasonable technical and organizational measures to safeguard the data, for instance. So when a security patch for their operating system comes around, it is up to B to install it without being told by A to do so.

Improve this answer
6
  • Ok, so all developers who are hired (or freelance contractors) by companies for full stack developing, front end developing, or back end developing roles are not considered data processors, right?
    – User8
    Commented Oct 28, 2023 at 18:20
  • 5
    @User8, they are not processors if they never touch customer data. In many cases developers also do DevOps jobs, or they do some second or third level support as well, then one would have to look at the contracts.
    – o.m.
    Commented Oct 28, 2023 at 18:55
  • To "touching customer data" do you mean accessing actual user data, correct? For example, designing and coding a login form doesn't fall into this category because even though the developer works with the code that manages usernames and passwords, they never deal with real user data, right? So they are not data processor in this case, is it correct?
    – User8
    Commented Oct 28, 2023 at 19:07
  • 7
    @User8, yes. But you sound desperate to get a confirmation that hypotheticals you do in the future will not touch GDPR. That is impossible to give. Say you work with the login form on a non-prod environment, and there is a production bug, and they hand you a copy of the prod database to analyze things. You (and they) would be in trouble, then.
    – o.m.
    Commented Oct 28, 2023 at 19:42
  • 1
    Yes, I know, I would like to know how I can avoid undue responsibilities. However, in the case you mentioned, wouldn't it be enough to tell the person sending you the database "I am not authorized to open it" to avoid any liability? Anyway, thank you for your answers, you're great. What advice would you give me to feel more at ease regarding GDPR if I were to work as a software/web app developer?
    – User8
    Commented Oct 28, 2023 at 20:21

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .