While the European Data Protection Directive 95/46/EC (the “Directive”) and current EU data protection laws mostly address data controllers, the General Data Protection Regulation (“GDPR”) will impose several new obligations upon data processors from May 2018 on. The Directive entrusted the controller with ensuring compliance when employing processors via contractual agreements; the GDPR’s approach is different: Although processors are still bound by the controllers’ instructions, the GDPR allocates responsibilities between the parties by assigning processors an active role and introducing direct statutory obligations as well as significant fines of up to 4% of the global annual turnover of the processors.
Companies acting as data processors should assess their new role under the GDPR and commence with the implementation of new standards in near future.
1. New technical and organizational requirements
The GDPR stipulates several new requirements regarding a processor’s organization, such as:
- Representative in the EU, Art. 27 GDPRProcessors subject to the GDPR but without establishment in the EU must appoint a rep-resentative, just as controllers are obliged to.
- Implementation of Technical and Organizational Security Measures, Art. 28 par. 1, 3, Art. 32 GDPRThe Directive relied on the controller to contractually require the processor to secure the personal data processed on its behalf. The GDPR obliges every processor to implement appropriate and reasonable state of the art technical and organizational measures. Pro-cessors therefore have to comply with the same security requirements as controllers, in-cluding
- Pseudonymisation and encryption,
- Ensuring the confidentiality, integrity, availability and resilience of processing sys-tems and services,
- The ability to recover and restore the access to lost data,
- Regular evaluation of the technical and organizational measures taken.
- Support of the controller in conducting Data Protection Impact Assessments, Art. 28 par. 3 lit. f, 35 GDPRWhere a data processing activity is likely to result in a high risk to the rights and freedoms of natural persons, controllers shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations (Art. 35 GDPR). Processors are not obliged to conduct Data Protection Impact Assessments themselves but have to support the controller in doing so.
- Data Processing Registers, Art. 30 GDPRUnder the GDPR, most processors have to increase their accountability activities by keep-ing a register on their data processing activities, which must be made available to supervi-sory authorities on request. While similar to the register kept by controllers, it is less com-prehensive, containing in particular the following information:
- Name and contact details of the processor, the controller(s) it works for and its data protection officer,
- The categories of processing carried out,
- Transfers of personal data to a third country and the documentation of the suitable safeguards,
- A general description of the technical and organizational security measures.
- Data Breach Notifications, Art. 33 par. 2 GDPRProcessors under the GDPR have to notify the controller on behalf of which they are pro-cessing data without undue delay after becoming aware of a personal data breach (any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data). Often, more specific timelines will be specified in the contract between the controller and the processor.
- Data Protection Officer, Art. 37 GDPRProcessors under the GDPR have to install an independent, reliable and knowledgeable data protection officer under the same conditions as controllers, meaning they are obliged to do so if their core activities consist of
- Processing which requires regular and systematic monitoring of data subjects on a large scale,
- Processing on a large scale of special categories of data (e.g. health, religion, race, sexual orientation etc.) and personal data relating to criminal convictions and offences.
A group of undertakings may appoint a single data protection officer provided that such data protection officer is easily accessible from each establishment. Thus, one global data protection officer steering data protection EU-wide may prove helpful in order to cope with differing EU-wide regulations. Please note that national laws may require the implementation of data protection officers in additional cases (likely to be the case e.g. in Germany).
- Notification regarding the infringement of data protection obligationsIf a processor believes a controller’s instruction to infringe data protection obligations, it must inform the controller immediately (Art. 28 par. 3 lit. h GDPR). However, the processor is not obliged to verify the material lawfulness of the obligation, but only needs to inform the controller if doubts arise during its processing activities.
2. Direct interaction of processors with authorities and data subjects
The GDPR stipulates new cooperation obligations of processors:
- Processors under the GDPR are obliged to cooperate directly with supervisory authorities upon request (Art. 31 GDPR), while the Directive mostly limited supervisory contacts to controllers.
- Data subjects under the GDPR are entitled to enforce damage claims against processors. A processor is liable for damages caused by processing if it has acted contrary to its legal obligations or lawful instructions of the controller (Art. 82 GDPR).
- Data subjects cannot exercise their rights to information, access etc. (Art. 12-23 GDPR) towards processors. However, the processor must support the controller for whom he is processing in responding to data subjects’ requests.
3. Data processing agreement
Under the Directive, data processing agreements between controllers and processors have been mandatory, but the contract often included only very basic obligations. Under the GDPR, the relationship between controller and processor needs to be regulated in greater detail (see Art. 28 GDPR), including with respect to following processor’s obligations:
- To generally process the personal data only on documented instructions from the control-ler,
- To ensure that persons authorised to process the personal data have committed them-selves to confidentiality or are under an appropriate statutory obligation of confidentiality,
- To secure the processing by appropriate technical and organizational measures,
- To comply with stricter sub-processing rules (the sub-processing contract needs to reflect the requirements of the data processing contract between the controller and the processor, and prior written approval of sub-processors by the controller will be required, although a general and abstract approval of sub-processors will remain permissible as long as the controller is allowed to object to the appointment of specific sub-processors),
- To assist the controller by appropriate technical and organisational measures in respond-ing to data subjects’ requests,
- To assist the controller in compliance with the latter’s obligations regarding security of processing, data breaches and Data Protection Impact Assessments,
- To return or delete all personal data after the end of services unless obliged to retain the data by law,
- To make available to the controller all information necessary to demonstrate compliance with the latter’s obligations regarding processing by a processor and allow for and contrib-ute to audits, including inspections.