How to deal with Processors: Facts and hints to do it in an efficient way
Data controllers must consider the management and control of processors, as a priority prior to commencing new projects or during their development, with any parties with whom personal data is shared. Data controllers are, however, subject to investigations, often resulting in fines for non-compliance or lack of control associated with the management of these third parties. For example:
- The Garante per la Protezione dei Dati Personali (Italy) fine of 40000 euros
- The CNIL (France) imposed a find of 1.5 million euros,
- The fine of 53000 euros imposed by the Urząd Ochrony Danych Osobowych (Poland)
The objective of this article is to appraise the organisations of the difficulties that may arise when assessing or working with a proposed third party and to provide guidance regarding the processing of personal data. This article will examine the difficulties that arise when engaging a third party and provide some recommendations to avoid the most common issues.
The starting point and the most common issues
The primary responsibility for ensuring compliance always lies with the controller and its obligation concerning the protection of personal data. This obligation remains fully applicable when the processing is outsourced by the controller to a third party, regardless of the volume, nature or business context of the personal data concerned. In essence, the same entity may act at the same time as controller for certain processing operations and as processor for others. It must therefore be determined from the outset which entity carries the role of a data controller or a data processor. The distinction between the two underscores the responsibilities and enables the organisation to have a clear picture of:
- the development of the services in data protection terms, as well in terms of general compliance or, even,
- the level of information that can be requested from a processor about its data protection practices.
In general, the source of the issue is an incorrect delineation of the processing activity, due to:
- lack of clarity on the assignation of the roles of the parties involved (i.e., controller/processor);
- lack of understanding on key aspects of the processing activity, such as the why (purposes of the processing) and the how (the means of the processing);
- the processor assuming such level of control that the controller has no visibility regarding the practical development of the tasks assigned to it. For example, this may occur when a processor utilises the services of a sub-processor based outside of the EEA that does not have appropriate data protection mechanisms in place.
Other common issues include:
- Lack of separation between the processing activities that the processor develops as controller and those ones that it develops on behalf of another controller.
- i.e., this situation may arise when the processor performs for its own benefit the same activity it offers as a service to other organisations
- Acceptance of blurred contractual clauses, without a proper review, of the standard contract provided by the processor.
- i.e., this situation may arise when the processor uses a common template contract with several controllers. From a practical point of view, two consequences could arise from this:
- On the one hand, this event may also be replicated with sub- processors (the lines of the sub-processing would not be defined or controlled by the specific processing). This implies subsequent divergencies and risks arising from this lack of control.
- On the other hand, standard contracts may result in the controller accepting unfavorable indemnity or a limitation of liability clause, which are frequently included in those standard agreements. More information about these types of clauses can be found in this post by Trilateral Research.
How to close the gaps: The tips to be considered
In light of the above, the following measures are recommended:
- Data controllers should have a clear view of the scope and the characteristics of the processing to be outsourced (i.e., personal data categories, data subjects, systems to be used, and refer to instances where the processing could be manual). The controller should also be able to control “what does it need” and “how it should be done”.
- Data controllers must conduct a data protection review within the general Due Diligence process. This can be carried out via a data protection focus questionnaire to be completed by the potential processor. This becomes a really useful tool to check its data protection practices. Regarding this process, we recommend:
- The controller should provide hints to the potential processor about the information or specific documentation required to assess it. For example:
- The Record of Processing Activities, in terms of Art. 30.2 of the GDPR or 31.2 of the EUDPR;
- Policies and processes to cooperate with the controller on the management of the data subject rights requests; or
- Policies and processes regarding the development of Data Protection Impact Assessments;
- Clear and concrete measures regarding the protection of the personal data, (i.e., location, password management, applications to be used to process the personal data).
- The inputs received should not be understood as a simple checklist; they should serve as a tool to verify the suitability of the processor thus providing the necessary assurance of their capability and qualifications as a trusted partner. Of primary interest should be the way in which a processor would carry out its obligations on behalf of the controller.
- The controller should provide hints to the potential processor about the information or specific documentation required to assess it. For example:
- Data controllers, in consultation with their DPO and legal team, should draft personalised Data Processing Agreements unique to the proposed processing activity. This practice is highly recommended to be undertaken by the controller for processing activities intended to be outsourced. There are several advantages arising from taking the leadership on this aspect:
- the controller ensures a coordinated approach and legal strategy regarding all the processing activities that it intends to outsource;
- the risks of being bound by any blurred clause are minimised;
- this approach is more efficient, as it saves time and effort (the review of any type of contract usually requires the participation of several stakeholders, with the consequent time and resources involved).
- Consider the specific sectorial or local requirements that may have relevance on the processing activity or, in other words, be mindful of rules on certain kind of processing activities or sub-processing activities that cannot be developed outside the EEA.
Trilateral’s Data Governance and Cyber Risk Team has extensive experience supporting organisations undertaking complex projects to comply with their data protection obligations. We offer a range of data governance services, including compliance support and updates regarding opinions published by the Data Protection Supervisory Authorities. Please feel free to contact our advisors, who would be more than happy to help.