Sub-processor

Yes, article 28 GDPR – Processor, paragraph 3 as well as all the other paragraphs apply all Data Processors, including internet line services and providers who provide voice over IP services, but only if they act as Data Processors. According to European Data Protection Board’s Guidelines 07/2020 on the concepts of controller and processor in the GDPR, “the role of a processor does not stem from the nature of an entity that is processing data but from its concrete activities in a specific context. The nature of the service will determine whether the processing activity amounts to the processing of personal data on behalf of the controller within the meaning of the GDPR”. If the internet line service provider or VOIP service provider have autonomy in the way they are processing personal data (for eg if they are regulated or if they log all traffic for analysis purposes), they are data controllers. If they can define a framework in which they can operate by obeying clear personal data processing instructions given in the service contract and in the data processing agreement, they can act as Data Processors.

Please consult these links as well:

• Article 28 GDPR – Processor: https://advisera.com/gdpr/processor/
• European Data Protection Board’s Guidelines 07/2020 on the concepts of controller and processor in the GDPR: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-072020-concepts-controller-and_en
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/articles/eu-gdpr-controller-vs-processor-what-are-the-differences/