The data processor is the person who processes personal data on behalf of, on the instructions of and under the authority of a controller. He does not himself determine the purposes of the processing but merely acts on instructions, failing which he may be requalified as a controller.
Article 28 of the GDPR stipulates that, *"where processing is to be carried out on behalf of a controller, the latter must only use processors providing sufficient guarantees as to the implementation of appropriate technical and organisational measures to ensure that the processing meets the requirements of the GDPR and guarantees the protection of the rights of the data subject (...) processing by a processor must be carried out in accordance with the provisions of the GDPR". ) processing by a processor is governed by a contract or other legal act under EU law or the law of a Member State (...). *
It is therefore necessary to establish a contract between the two parties; this requirement is necessary in order for the processing to be valid.
Failure to do so will be punishable under Article 83 of the RGPD by an administrative fine of up to €10 million or 2% of the company's worldwide annual turnover.
In particular, contracts are among the documents systematically requested in the event of an inspection by the authorities.
This contract must be drawn up in written form, electronic writing being authorised.
The data processor must also :
- provide sufficient guarantees as to the implementation of appropriate technical and organisational measures to comply with the GDPR
- be chosen by the data controller, including when he has himself been recruited by a processor.
It is therefore up to the data controller to ensure that these obligations are met.
What are your obligations as a data controller? see our article: What are my obligations as a data controller?
When the contract is concluded, the controller must ensure that it complies with the requirements set out in Article 28(3). In particular, the contract must describe for each processing operation outsourced:
- the purpose and duration of the contract
- the nature of the processing
- purpose of the processing
- type of personal data
- categories of data subjects
- obligations and rights of the controller.
The scope of the processing carried out by the processor on behalf of the controller is determined by the documented instructions which the controller must include in the contract.
Article 28 adds that the contract must also include the following obligations:
- to process data on the basis of documented instructions from the data controller
- undertake to respect the confidentiality of the persons processing the data
- take security measures for processing
- have general or specific written authority from the data controller to recruit another processor
- assist the data controller in its obligation to respect the rights of individuals
- assist the RT in carrying out DPIAs
- delete or return data at the end of the contract
- allows the data controller to carry out audits of the processor on the implementation of the processing.
These can be grouped into the following 5 points:
I) Determine the main features of the contract and include documented instructions from the controller to the processor.
As seen above, the contract must be subject to strict instructions regarding the purpose and duration of the relationship, and the principal characteristics of the processing, which the sub-processor must record in its register.
Particular attention should be paid to the definition of "documented instructions ". The explanations of the actions required of the processor must be included in the contract, and certain documents such as models or standard procedures may be annexed to the contract.
These instructions may include the data that the processor must include or exclude from the processing, the procedures for collecting, processing and archiving the data, the means of securing the data etc.
The processor must not go beyond these instructions, failing which it will be reclassified as a data controller if it takes the initiative in making decisions determining the means and purposes of the processing.
The only exception to this principle requiring the processor to act on instructions is where the processor is required to process or transfer personal data on the basis of EU law or the law of its Member State. In such cases, the data controller must be informed unless the law governing the processing or transfer prohibits such information being provided for reasons of public interest.
As regards the scope of the processor's obligations, Article 28 provides that the processor will be required to perform some of the obligations of the RGPD, such as confidentiality, security and all the other obligations set out in Articles 32 to 36 of the GDPR.
However, the parties remain free to determine by specific agreements, even in the presence of standard contractual clauses, the extent of their respective obligations as well as liability in the event of failure by the processor to fulfil its obligations.
II) Setting out the responsibilities of each party
Article 82 of the GDPR provides that "the processor shall be held responsible for damage caused by processing only if he (...) has acted outside the lawful instructions of the controller or contrary to them "*.
It is therefore possible for the parties to arrange their liability by means of clauses that are very explicit and limited to their relationship.
Data subjects will be able to take action against either party in the event of a breach of their rights. However, this possibility must not be used to impose disproportionate obligations on the processor, by concluding a contract that is manifestly unbalanced.
The CNIL reminded us in 2017 that a simple clause in a subcontracting agreement cannot exonerate the data controller from all responsibility, and in particular from the full extent of its data security obligation. Accordingly, the controller must check that the measures taken by the processor are adequate and proportionate, even where the processor is responsible for the security of part of the data being processed.
However, this type of liability clause makes it possible to determine the part owed by each party in the event of a penalty.
III) Setting out the conditions for subcontracting by the processor
The agreement must specify that the processor may not use the services of another processor without the prior written authorisation of the controller, and define whether this authorisation will be specific or general:
- general authorisation = the controller must be informed in writing of any change of processor and given the opportunity to object to it
- specific authorisation = the contract must define the procedure to be followed to obtain this authorisation.
When the new subcontract is signed with the original subcontractor, the latter must in turn pass on to the new subcontractor the obligations arising from the original contract.
The 1st sub-contractor will be guarantor to the data controller of compliance with the obligations of the contract and the GDPR by all subsequent sub-contractors.
Lastly, the contract must specify the processor's requirements regarding transfersto countries outside the European Union or to international organisations, taking into account the provisions of the European Convention on Human Rights and the GDPR.
The processor may delegate certain processing activities to a processor located in a third country. If the contract does not allow this transfer outside the EU, the processor may only turn to national actors, and may not process data to any subsidiaries of its company outside the EU.
IV) Defining the role of the processor in assisting the controller
The need to introduce this type of clause will be based on the obligation for the processor to assist and advise the controller, in accordance with Article 28.3 of the GDPR.
The agreement will therefore need to contain details of how the processor can assist the controller in fulfilling its obligations.
The type and degree of assistance to be provided by the processor may vary considerably "taking into account the nature of the processing and the information to be provided".
With regard to particular measures of help and assistance, the processor must help the controller to:
- adopt adequate technical and organisational measures to ensure the security of processing
- notify breaches to the supervisory authority and to the data subjects. To this end, it must notify the supervisory authority whenever it discovers a breach affecting its data processing and IT facilities. The contract may specify a precise deadline and a procedure to be followed.
- carry out DPIA and, where necessary, consult the supervisory authority.
However, all these obligations do not transfer responsibility to the processor, who is only required to assist the controller if necessary and on request.
An example of assistance: management of requests to exercise rights
The principle is that the data controller has an obligation to ensure that requests from individuals are processed. However, the contract must stipulate that the processor has the obligation to provide assistance *"by means of appropriate technical and organisational measures, insofar as this is possible".
The nature of this assistance may vary considerably depending on the nature of the processing and the type of activity entrusted to the processor.
This may range from the rapid transmission of any requests received to the response to such requests, particularly where the processor is in a position to manage and retrieve personal data. Instructions on this subject may be provided to the processor in the contract, prior to the start of operations.
However, it is always up to the data controller to check the admissibility of requests and compliance with the requirements laid down by the GDPR.
V) Ensuring data security and confidentiality
Article 32 of the GDPR specifies that it is the responsibility of both the controller and the processor to determine the technical and organisational measures for protecting personal data.
Even if the processor is already subject to the obligations of the GDPR, the contract must not simply repeat the latter's requirements regarding security measures.
It must state in practice what security measures the processor undertakes to put in place, its obligation to consult the controller before any changes are made, but also the need for it to carry out a regular review of these measures to check their effectiveness in the light of changes in the risks.
The data controller can assist in determining the variation in risks.
It is these details that enable the controller to determine whether the processor provides appropriate guarantees, and to justify this compliance to the data subjects in accordance with Articles 5.2 and 24 of the GDPR.
Depending on the risks, a detailed description of the security measures may be necessary, but sometimes a minimum level of protection to be achieved by the processor will suffice. In practice, a list of security measures proposed by the controller may be attached to the contract, or the controller may also validate such a list proposed by the processor.
The implementation of codes of conduct or certifications also provides information on the existence of additional guarantees from the processor in its role of securing processing.
Data security also involves compliance with an obligation of confidentiality. It is necessary to include in the contract (unless there is a legal obligation already in place) the obligation for the processor, each time it authorises a person to process the data, to guarantee compliance with confidentiality by the successive parties involved in the processing.
Formalising the contract with the SCCs
The subcontracting contract can be drafted ex nihilo to best suit the particularities of the situation, or can be based on standard clauses:
- those of the European Commission
- those of the CNIL, the French Data Protection Authorities, which are simply general recommendations on subcontracting contracts
Find these model clauses directly in Dastra in editable Word format. Create a free account at https://app.dastra.eu/signup