On September 29, 2017 the French Data Protection Authority (CNIL) published a guide for data processors to implement the new obligations set by the EU General Data Protection Regulation (“GDPR”). The guidance addresses the extended scope of the GDPR and the new and direct obligations data processors will have when the GDPR comes into force on May 25, 2018. The guidance elaborates a three-step checklist for data processors:
- Assess whether a DPO must be appointed.
- Review and analyze existing contracts. In this regard, the guide provides template data processing clauses to be inserted in service agreements.
- Create an inventory of data processing operations.
The guide also provides further explanations on the processor’s obligations in appointing a subprocessor, on processor’s liability in helping the data controller to conduct data protection impact assessments (“DPIA”) and in notifying data breaches. It also addresses the possibility to elect a lead supervisory authority if there is a cross-border data processing activity and the obligation to appoint a data representative if the processor is not established within the EU.
Finally, the guide summarizes the regime of sanctions for data processors and lists some of the GDPR violations that would trigger these sanctions, such as:
- acting outside the scope of the data controller’s instructions;
- failing to assist the data controller in its obligations;
- failing to make available to the data controller information that demonstrates the processor’s compliance, including submitting to audits;
- failing to inform the data controller that an instruction may violate the GDPR;
- relying on a subprocessor without the prior approval of the data controller;
- relying on a subprocessor that does not provide sufficient guarantees;
- failing to appoint a data protection officer where necessary; and
- failing to keep a data processing inventory for the data processed on behalf of the data controller.