Before the GDPR enters into force on 25 May 2018, companies processing personal data will have to reassess their approach to personal data processing. Under the current state of the law, a company acting as a personal data processor that has been found liable for unlawful personal data processing would be liable for a breach of contract. With the GDPR in place, this would no longer be the case, as it will impose legal obligations directly on such data processors. Fines for noncompliance may reach up to 4% of the annual turnover for the preceding year or EUR 20 million, whichever is higher.
What is a processor?
Processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The most common examples of processors are the outsourced service providers (accounting, payroll, marketing, receivables collection, cloud servers etc.). The most important characteristic of a processor is that it processes personal data based on a contract with another entity, thus the processor may not independently determine the purposes and means of the processing of such data.
In practice, a company may simultaneously act as a data controller and a processor. For example, a debt collection agency acts as a data controller when processing the personal data of its employees. That same company would normally be considered as a processor with respect to the personal data of its clients’ debtors.
As per Article 28, par. 10 of the GDPR if a processor infringes the Regulation by determining the purposes and means of processing (i.e. by processing the data in a manner or for purposes other than as instructed by the controller), the processor shall be considered to be a controller in respect of that processing.
This practically means that organisations acting as data processors must be cautious not to act beyond their clients’ instructions. Failure to comply with such instructions would expose them to significant compliance risks as the higher standards for data controllers would apply to them (e.g. the necessity of a valid legal ground for each processing, compliance with data subjects’ rights etc.).
What is new for processors under in the GDPR?
The most radical regulatory change coming with the GDPR is that it imposes certain legal obligations directly on processors ultimately increasing the risks and costs of such personal data processing. These obligations include:
- accountability: every processor must keep records of the processing activities carried on behalf of the controller;
- data security: processors must ensure the security of the personal data by implementing appropriate technical and organisational measures (such as data encryption, regular security assessments etc.);
- cooperation with the Data Protection Authority (DPA): processors will be obliged to cooperate, on request, with the DPA in the performance of its tasks;
- data breach notification: each processor must notify the controller without undue delay after becoming aware of a personal data breach;
- appointment of data protection officer: as controllers, processors would be required to appoint data protection officers under certain circumstances (more information on data protection officers will soon follow in a separate article);
- liability: in addition to the exposure to administrative fines, the GDPR explicitly states that data subjects may bring claims for damages directly against processors. A processor would be held liable only where it has not complied with its obligations stemming from the GDPR or where it has acted outside or contrary to lawful instructions of the controller.
Data processing clauses
The new legal context, in which controllers and processors will operate, naturally raises questions about the adequacy of the existing data processing contracts. Directive 95/46/EC stipulates that data controllers must appoint processors based on a written agreement, which binds the processor to ensure the security of the personal data processed and to act only in accordance with the controller’s instructions.
The GDPR broadens the list of mandatory clauses. Data processing agreements must stipulate, among others, that the processor shall:
- ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- respect the conditions for engaging another processor – the processor may not engage another processor without prior specific or general written authorisation of the controller;
- assist the data controller to comply with certain GDPR requirements such as the obligations to report data breaches to the DPA and the data subjects and to carry out privacy impact assessments and prior consultations;
- assist the controller, by appropriate technological and organisational measures, insofar as possible, for the fulfillment of its obligations with respect to the data subjects’ rights, e.g. the right to be informed, the right to erasure, the right to object to processing etc.;
- at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing;
- make available to the controller any information necessary to demonstrate compliance with the agreement and allow the controller to conduct compliance audits;
- immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other European Union or Member State data protection legislation – an appropriate preventive measure for the processor is to insert in the contract a provision allowing it to suspend any data processing until the compliance issue has been resolved by the parties.
Accordingly, it is in the best interest of both controllers and processors to review and renegotiate (where necessary) their existing data processing agreements before May 2018.
The information contained in this post is not intended to and does not constitute a legal advice under Bulgarian law or under the laws of any other jurisdiction and is provided for informational purposes only.