Whilst there are a plethora of articles and briefings on the GDPR the focus has been on the changes to current data protection legislation (“DP Legislation”) which will increase a data subject’s rights to access and control its personal data and the impact this will have on a data controller.
The purpose of this briefing is to summarise, from the point of view of a service provider who is processing personal data on behalf of a client and is acting as a ‘data processor’, the key provisions in the GDPR which a data processor should consider for the purpose of its data processing contracts (“DP Contracts”) with data controllers.
|Provision in the GDPR||Importance for the DP Contract|
|The GDPR imposes a high duty of care upon data controllers in selecting their data processing service providers.||The commission and supervisory authorities (also known as “Data Protection Authorities”) are likely to publish approved form service provider contract clauses. It seems likely that, from a service provider’s/data processor’s point of view, these will be onerous. Increased due diligence and a detailed assessment of the data controllers data processing requirements will be required. In addition, the approach to pricing such requirements will need to be more rigourously reviewed.|
|Under the GDPR, a data subject whose rights have been infringed has the right to a judicial remedy against the data controller and/or the data processor (under current DP Legislation this only extends to data controllers).||This is a significant change for data processors. Data processors should be seeking to ensure that the DP Contract includes an indemnity in favour of the data processor for any claims from a data subject and or a supervisory body on its behalf where the claim is a result of a breach by the data controller.|
|Any person who has suffered damage as a result of infringement of the GDPR has the right to receive compensation from the data controller and/or the data processor (under current DP Legislation this only extends to data controllers).|| |
Data processors will only be liable for damages caused by processing in breach of the obligations imposed on data processors by the GDPR or caused by processing that is outside or contrary to the lawful instructions of the data controller. However, in order to ensure effective compensation for data subjects, data controllers and data processors that are involved in the same processing and are responsible for the damage caused, will each be held liable for the entire damage.
A data processor or data controller that is held to be liable to pay compensation is entitled to recover from the other that part of any compensation corresponding to their part of the responsibility for the damage.
Despite the above we would advise that:
• the DP Contract clearly specifies the scope of the data processors responsibilities;• the DP Contract includes a mutual indemnity for the benefit of the other in respect of any liability or compensation paid to a data subject which results from the act of the other party; and • the DP Contract includes agreed mechanisms for resolving disputes in relation to respective liabilities to settle compensation claims.
Data controllers and data processors will be subject to a general personal data breach notification regime and data processors must report personal data breaches to data controllers.Non-compliance can lead to an administrative fine of up to 10,000,000 euros or in the case of an undertaking, of up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is the higher.
|The timing of the obligation for data processors to report breaches to data controllers is ‘without undue delay after becoming aware of it’. Even if this is not specifically included in the DP Contract data processors should be aware of it and the financial implications of non-compliance.|
The GDPR entitles representative bodies acting on behalf of data subjects to lodge complaints with supervisory bodies and seek judicial remedies against data controllers and data processors (there is no equivalent provision in current DP legislation).
In addition, supervisory authorities are empowered to impose administrative fines on both data controllers and data processors. Administrative fines are discretionary and include two tiers:
• Some breaches will up to 10,000,000 euros or in the case of undertakings, 2% of global turnover, whichever is the higher; and
• Other breaches will be up to 20,000,000 euros or in the case of undertakings, 2% of global turnover, whichever is the higher.
Historically, data controllers have sought broad (and often uncapped) indemnities from data processors. However, whilst such indemnities will continue to be sought, given the size of fines under the GDPR have significantly increased, data processors should not readily agree to uncapped liability. Specifically, the data processor will have no control over the data controller’s turnover (against which fines are linked) and may be unable to insure the risk. We would advise that any such indemnity:
• If agreed, is subject to the general cap on liability under the DP Contract; or• failing agreement of the above, is subject to a separate cap.
In addition, the data processor should seek an indemnity from the data controller, in the form of a reverse of the above, in respect of any fines which it is obliged to pay as a result of a breach of the GDPR by the data controller.
Data processors will be required to maintain a record of the personal data which controllers engage them to process.
|Whilst many data processors may already be performing this requirement this may be a challenge for some data processors, such as cloud and communications service providers.|
|Whilst not a provision in the GDPR, data processors should consider which party bears the cost and expense of implementing changes which are required as a result of any changes in the law.||DP Contracts routinely include provisions requiring the data processor to comply with all laws (both existing and future). Data processors should consider whether such provisions should be qualified.|
|The GDPR, as per current data protection legislation, must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.||Whilst this principle under the GDPR is akin to current data protection legislation, in light of the changes to the GDPR and the increase in fines we would advise that a data processor gives increased thought as to what is meant by using ‘appropriate technical or organisational measures’. This obligation is usually included as a straight flow down from the data controller to the data processor in the DP Contract and it is often the case that the measures are not detailed in the DP Contract. In order to minimise the risk of a data controller bringing a claim for breach by a data processor of this obligation the parties should discuss at the outset what these measures should entail and the details of the measures are inserted as a schedule to the DP Contract. In this way the parties will be required to focus on what the data controller considers are adequate technical or organisational measures and what the costs are if the data processor is obliged to take steps to put these measures or safeguards in place.|
The GDPR will take effect on 25 May 2018 and, as a Regulation, will be directly effective in member states without the need for implementing legislation. Data processors are therefore advised to consider if their DP Contracts adequately reflect the changes due to be implanted by the GDPR and if not to start planning the changes which will be needed to its DP Contracts.