Data protection law relies on the distinction between data controllers and data processors. This pivotal distinction remains under the General Data Protection Regulation (GDPR) and national legislation, such as the UK and Irish Data Protection Acts 2018, which specify the GDPR requirements. Data controllers are the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data whilst data processors are the entity that processes personal data on behalf of the controller.
The GDPR has enhanced the data controllers’ obligations and introduced the principle of accountability which means that they must be able to demonstrate compliance with the data protection principles. Although the data controller remains the key player under data protection law, the GDPR has introduced obligations and liabilities for data processors. It has also raised the standards for processors, including the obligation to apply robust security measures. Furthermore, when controllers use processors to process personal data on their behalf, a written agreement should be in place. The GDPR stipulates the minimum terms that this agreement should contain and details the necessary content and provisions of this agreement. This also applies when a processor engages a sub-processor. Moreover, data subjects and supervisory authorities can hold processors to account if they breach their GDPR obligations because data processors can be held directly liable.
Although these new provisions offer clarity and certainty about the roles of processors and controllers and the rights of data subjects, they have created some tension between data controllers and processors especially when processors and controllers do not have equal bargaining power. It also seems unfair to expect processors to bear the liability for circumstances out of their control. There may be cases where the data processing agreements disproportionally allocate liability between processors and controllers after factors such as contract value, the resources of the processor and the risks involved have been considered.
The GDPR does not provide specific guidance about how the liability clauses of the agreement can be amended. An emerging question in the market is whether the parties retain their power in negotiating the liability clauses and deviating from the GDPR provisions. Do they have the right to negotiate the agreement or do these agreements have a similar function to adhesion contracts?
In this context, the Belgian Data Protection Authority (DPA) has issued guidance on these issues, shedding light on the roles and liabilities of controllers and processors. The DPA reiterates that the factual and legal elements should be considered when determining who qualifies as a controller. Essentially, this relates to the instructions given to the processor and the margin of manoeuvre it enjoys when it processes data. Although the decision-making lies with the controller, the controller is permitted to assign non-essential elements of this decision-making to the processor. For example, the processor is allowed to determine appropriate technical and organisational measures. However, any important decisions about the categories of data subjects and data recipients, processed data, the retention period and the lawful basis must be taken by the controller. If the processors do not follow the instructions of the controller or act out of the scope of their power and responsibilities under the GDPR, then they qualify as controllers with additional obligations. They also risk breaching the data processing agreement as well.
The DPA has also addressed some key questions regarding negotiations about contractual amendments. It clearly argues that it does not matter who has the bargaining power in data processing agreements. Therefore, the parties are entitled to consider the elements and context of the provision of services, the involved risks, including their magnitude and severity, any other parameters, such as insurance coverage, and decide how liabilities should be allocated between them.
What to consider before entering into a data processing agreement?
- Examine whether you are a data controller or processor. In case of doubt, consult your data protection officer and review any contractual agreements with your partners and customers.
- Record this decision-making and be able to justify it with reference to the legal provisions and the factual elements.
- Engage with processors that provide adequate safeguards and guarantees that they have the resources and expertise to meet the GDPR requirements and process data lawfully and responsibly.
- Check whether this processor is based in or outside the European Economic Area and implement the appropriate safeguards for data transfers.
- Request documentation about the data processor, including any insurance coverage and its partnership with third-parties.
- Review the processor’s policies and procedures in data management, namely the disposal of personal data.
- If you are a processor, review the liability clauses, adopt measures to ensure that you follow the controller’s instructions and that these are documented.
For more information visit the Trilateral Data Governance page and contact our team.