The last article in our GDPR Periscope series looked at common issues that arise for controllers and processors when negotiating data protection audit clauses. Sub-processing is another area where we frequently see friction in contract negotiations.
The GDPR provides that contracts between controllers and processors must include provisions requiring controllers to consent (either specifically or generally) to the appointment of a third party processor (or "sub-processor") to assist in the handling of personal data.
Controllers often seek absolute discretion to reject the appointment of sub-processors, while processors look for freedom to deliver services by engaging any sub-contractors they choose. We have seen a kink in the drafting of the GDPR requirements cause some negotiation problems here.
Article 28(2) starts by saying "the processor shall not engage another processor without prior specific or general written authorisation of the controller". Many processors have taken this as meaning they can reasonably seek a general right to appoint sub-processors in their contracts with controllers, particularly given their obligations to flow down GDPR clauses to sub-processors, and to remain fully liable for their failures. But the very next sentence says "In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes".
So even if a processor starts with a general right to appoint sub-processors, the moment it needs to change a sub-processor it has to give specific information to the controller, and allow the controller to object – so the value of a general right in the first place is questionable.
Whether the controller's right to object extends to a right to prevent the use of a proposed new sub-processor or whether it is no more than a right to register concern is often disputed. In our experience, this is an area where compromises are most readily reached when processors accept some limits on their freedom to sub-contract are necessary, and controllers understand that expecting absolute discretion to reject sub-processing is unreasonable.
The crux of this matter is typically the controller's concern to be able to comply with its obligation to notify data subjects of the recipients of personal data. Many controllers consider their transparency obligations are only served by being able to identify sub-processors to data subjects. As it will be incumbent on processors to know who their sub-processors are, we often find the quickest way to avoid negotiation stalling is for processors to accept that they will obtain specific rather than general authorisations to sub-processing (or at least, a general authorisation to appoint a named list of sub-processors).
The compromise is that controllers should accept that there should be controls around the authorisation/objection process, to make it more palatable to processors. These might include that the controller must give evidenced grounds for any objection it has to a particular sub-processor, or that there is a presumption of consent other than in limited circumstances (e.g. international transfers, or data security concerns). Often a resolution is quickest when controller and processor put themselves in the other's place – the controller seeking to understand why a processor would want to sub-contract without undue restraints (and the ultimate cost benefits that might deliver), and the processor considering why the controller needs to keep visibility of sub-processing and its concerns about losing control of personal data in complex supply chains.
Avoiding dispute by template
We often see unnecessary negotiation difficulties emerge where two companies have become wedded to their own GDPR template clauses. Often these template clauses will have been drafted as part of a contract remediation process in the run up to 25 May 2018, often with a deliberately controller- or processor-friendly skew. Instead of looking at how relationships work in the real world, they will have been designed to allow companies to make as many of their contracts compliant with the GDPR as quickly as possible without negotiation.
In trying to remediate hundreds of supplier or customer contracts for GDPR compliance, many companies inadvertently got into a 'take it or leave it' mind-set that they've found difficult to shake off. The reality is that where Article 28 isn't prescriptive, it is flexible enough for companies to find efficient, business-friendly solutions that take account of needs of controllers and processors and respect the rights of data subjects. But, that depends on both companies being prepared to step back from templates that may have worked in a pre-GDPR remediation phase but are less valid now that the GDPR has been in effect for a year.