Data Processor

According to Article 4(8) of the EU's General Data Protection Regulation (GDPR), a data processor is a "natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." They do not determine the purpose and means of processing, but only act on the documented instructions of the data controller.

Any company processing the personal data of EU residents is subject to GDPR, regardless of its location. Fines for non-compliance can be up to 4% of annual global turnover or €20 million, whichever is greater. Furthermore, many international supply chains (e.g., semiconductor, automotive) require their partners (processors) to be GDPR compliant, posing a significant business risk if ignored.

The primary standard is ISO/IEC 27701 (Privacy Information Management System), which is an extension to ISO/IEC 27001 (Information Security Management System). Specifically, Clause 8 of ISO 27701 provides detailed controls and implementation guidance for organizations acting as PII (Personally Identifiable Information) processors.

As Taiwan's first consultancy integrating ERM, industrial engineering, tech law, and data science, Winners Consulting offers a unique advantage. Led by a founder with a preventive law background, our team of tech lawyers and ISO Lead Auditors can vertically integrate GDPR requirements with management systems like ISO 27701, preventing redundant controls and strengthening trade secret protection for clients like TSMC and MediaTek.