The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. While the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave has published a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Can a controller unilaterally amend a service provider agreement to incorporate requirements under the GDPR?
Article 28 of the GDPR requires that a controller “bind” their service provider to thirteen specific requirements concerning the data that it will be processing on behalf of a controller. Whether a controller can impose a unilateral amendment upon a service provider (i.e., simply declare that the service provider must abide by each of the substantive requirements found within Article 28 of the GDPR) largely depends upon the structure of the underlying agreement. Specifically, if the underlying agreement grants the controller the right to impose unilateral changes, or the right to impose unilateral data security or privacy standards, the unilateral amendment would likely be effective. If, however, the underlying agreement requires that any amendment be done through a writing signed by both parties the unilateral amendment would likely be ineffective.
Some controllers attempt to leverage generic “compliance with law” provisions found in master service agreements to impose unilateral changes by arguing that the unilateral changes are necessary in order for the processor to comply with the GDPR. The effectiveness of this strategy depends upon the following factors:
- What law is selected within the underlying agreement? Whether a unilateral amendment can be incorporated through an existing compliance with law provision depends, in part, on the principles of contract interpretation under the law selected to govern the underlying agreement.
- What forum is selected within the underlying agreement? Whether a unilateral amendment can be incorporated through an existing compliance with law provision depends, in part, upon the court or tribunal selected to interpret the underlying agreement if a dispute were to arise.
- Does the unilateral amendment exceed the scope of the GDPR? Attempts by a controller to go beyond the precise wording of the GDPR would likely be considered ineffective by most courts or tribunals. For example, while the GDPR requires that a processor make itself available for audits, a unilateral amendment that attempts to demarcate the boundary and scope of such audits (g., who will pay for the audit, how often audits might occur, etc.) may be rejected by courts.
- Is the processor directly governed by the GDPR? If the processor is not established within the EU, it may argue that it is not directly governed by the GDPR and, therefore, a generic reference to its “compliance with law” should not be interpreted as including the GDPR.
- Does the controller have prior knowledge that the processing does not comply with the provisions of Article 28? To the extent that the controller has actual knowledge that certain aspects of the processing are not in compliance with Article 28 (g., subcontracting is already occurring, disclosed security measures are arguably deficient, inadequate instructions were provided by the controller, or the controller has provided an inadequate (or non-existent) description of the processing), some jurisdictions may refuse to enforce a unilateral amendment based upon the equitable principles of laches and estoppel.
- Does the unilateral amendment attempt to restrict the jurisdictions in which the processor can transfer data? A unilateral amendment that restricts the ability of the processor to transfer (or receive) data outside of the EEA will likely be ineffective if the processor is physically based outside of the EEA, and/or if the controller had knowledge that the processing would occur outside of the EEA.