It goes without saying that in the course of a public or private contract, the parties involved may have to manage and process a large amount of personal data of the interested third parties.
The issue of data processing is therefore central and can involve responsibilities that are also economic, which are especially significant in light of the changes introduced by the European Regulation 679/2016.
In a procurement contract, the role of the parties that relate to data processing are not automatically defined by the type of contract signed. Indeed, the Italian Data Protection Authority already clarified that it may not be so obvious to define the parties as Controller (the client) or Processor (the contractor) of the processing.
Instead, the concrete attitude of the parties with respect to the definition of the purposes and the means of processing is the true distinction that formalizes the different roles within a data management system. In fact, it is the state of affairs that identifies the Controller, Joint Controllers or Processors.
The above mentioned concrete approach already outlined by the Data Protection Authority is confirmed in the European Regulation, which distinguishes between
- CONTROLLER: defined as the entity that has decision-making powers over the purposes and methods of processing (decides why, how and who is authorized to process the data) being completely autonomous in carrying out these tasks,
- JOINT CONTROLLER: it is possible that two or more subjects jointly determine the purposes and tools of data processing,
- PROCESSOR: the person who performs one or more processing activities on behalf of the Controller is qualified as external processor.
In light of the above, the first fundamental step will therefore be to concretely analyze within the context of reference, the roles of the parties (client and contractor) with respect to each processing of personal data. Once the roles have been defined, they will be incorporated and specified in the contract.
Likewise, the obligations and responsibilities of each contractor must be foreseen in the contract, taking into account the fact that the GDPR imposes obligations and responsibilities not only to Controllers and Joint Controllers, but also to Processors, who are subject to fines and penalties for violations, as well as to requests for compensation directly made by the interested parties.
Particular consideration will therefore be given at the time of drawing-up of the contracts to
- the identification of roles
- the definition of the obligations of each party, which will be provided in detail and no longer in a generic way.
In particular, if the contractor is defined as Processor, he shall ensure that he is able to comply with the instructions of the Controller and make sure to have appropriate tools for the identification and revision of the data processing methods and to promptly report violations to the Controllers. On their part, the Controllers must also check that their contractual counterparts are equipped with a data management and processing system in line with the provisions of Regulation 679/2016.
The preparation of a data processing management system that ensures compliance with the European Regulation 679/2016 will become, in the opinion of the writer, one of the requirements that the clients (Controllers) will have to evaluate for the purpose of the tendering and the consequent conclusion of the contract, in particular in the field of services. All involved parties will have to be exceptionally careful in defining the respective roles and obligations at the time of the drawing-up of the contract.