Data processing is a task that companies can outsource. However, the contractual relations between controller and processor are governed by strict rules. In the European Union, the DPMR has also made important changes to these rules. Through our interview with Mastaneh DJAZAYERI from Alpha Conseils Technologies, find out everything you need to know about data processing outsourcing in the era of the DPMR.
In all sectors of activity, more and more companies are collecting and processing data. The “data can bring many benefits. They can be used to better understand the customer base and the competition, or to identify problems that hinder the growth of the business.
However, data processing requires technical skills that companies do not always have in-house. For this reason, many organizations choose to outsource. For all about the contractual relationship between data controller and processorWe went to interview Mastaneh DJAZAYERI, Lawyer / Compliance R.G.P.D., Doctor of Law, Data Protection Delegate, Certified Bureau VERITAS at Alpha Conseils Technologies.
Can data processing be outsourced?
We can indeed answer this question in the affirmative. The controller may work with a subcontractor in the same way as any other controller. In this case, the contract to be concluded with these partners will be binding between the parties.
However, the fact that a data controller uses a processor does not exempt it from respecting specific rules which may be supplemented by other texts that we will discuss later.
The application of the DPMR has had a strong influence on the relationship between data controllers and data processors. L’section 4.8 of the DP Regs defines subcontractor as being the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
For example, what data can a controller have processed by its processor?
This can be a simple activitys, such as carrying out certain accounting operations, or more complex ones, such as managing employee payroll. Similarly, IT service providers, such as hosting providers and IT security providers, act as subcontractors.
This is tantamount to saying that whenever a company outsources part of its activitiesthe external service provider acts as a subcontractor of this company from the point of view of personal data.
In conclusion, we can answer this question in the affirmative subject to certain criteria in order for the provider to qualify as a subcontractor.
What are these criteria?
As such, the G29 established a list of indicesThis list is not exhaustive and has been partially taken up by the CNIL, which has facilitated qualification in each case:
- The degree of instruction given by the service provider to the client to determine the service provider’s autonomy in his service,
- The degree of control over the execution of the service by the client,
- The degree of expertise of the service provider allowing to measure its added value.
- Finally, the degree of transparency of the controller for the data subjects on the use of service providers.
As stated above, it is essential that the relationship between a controller and its processor be legally defined and that the data controller and its processor have a legal framework and complies with a number of provisions which we’re going to address.
What are the important elements of a contractual relationship between controller and processor?
As previously stated, the subcontractor must be a legal person distinct from the controller. Acting on behalf of the controller means carrying out the instructions given by the controller at least as regards the purpose of the processing and the essential elements of the means.
In my view, it is necessary to make it clear that until now, under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, only the data controller answered to the personal data supervisory authority for breaches of the regulations.
The subcontractor was immune from sanctions imposed by the supervisory authorities. This is no longer the case with the DPMR, which establishes a chain of responsibility between the controller and its processor.
The regulation aims to rebalance the relationship between the two operators by placing obligations directly on subcontractors and reinforcing their contractual obligations. This means that the contractual relations between them must be clearly defined in order to limit the liability of each party, on the one hand, but also in terms of the amount of the penalty that may be imposed by the supervisory authority.
Therefore, two key elements shall govern the contractual relations between a controller and its processor :
The choice of subcontractor
According to the Regulation, the controller may only use “sub-contractors who present sufficient security as to the implementation of appropriate technical and organisational measures to ensure that the processing operation complies with the requirements of this Regulation and guarantees the protection of the rights of the data subject” as defined in Article 28 of the GDMP.
This means that the data controller will have to make sure to check the qualities of its subcontractorIt must also ensure that it is able to take the necessary measures to protect the person concerned.
It must not be guaranteed in the legal sense of the termHowever, the controller could probably be held liable by a data subject in case of violation of his rights by the processor if it appears that the controller was negligent in his choice, that he did not ensure that his processor was able, according to the rules of the art, to meet all the necessary requirements for the lawfulness of the processing.
It is extremely important that the controller ensures that its subcontractor is governed by a code of conduct or an approved certification scheme that can demonstrate the existence of sufficient guarantees in accordance with the provisions of Article 28.5 of the GDGR and paragraphs 1 and 4 thereof.
As mentioned above, one of the important elements in this contractual relationship is choice and criteria as well as guarantees offered by a subcontractor.
The second element which is paramount in the relationship between the parties is of course the following contractual provisions that will govern their relationships.
The contractual provisions governing their relations
We have seen that the first prerequisite of the contractual relationship between the two parties was first of all thehe choice by the data controller of its processor and the guarantees that this one could offer him.
The second element that is paramount is the content of the contractual provisions governing the relationships of the parties we’re about to address.
This relationship must be sealed by a written contract either on paper or in electronic form. The said contract shall necessarily specify that the subcontractor :
- Process personal data only on instruction In such a case, the processor must inform the controller of this legal obligation prior to the processing, unless the law concerned prohibits such information on important public interest grounds.
- Ensure that these authorized persons to process personal data (employees, consultants, among others) are committed to strict confidentiality or are subject to an appropriate legal obligation of confidentiality.
- Take all safety precautions required under section 32 of the MDR.
- Respect certain conditions when it intends to recruit another subcontractor, and these conditions must be clearly specified in the contract in particular by obtaining the express agreement of the controller, and the second-tier processor will obviously have to present the same guarantees as the first-tier processor.
- Assist the controller by all means to meet its obligation to act to the requests of the persons concerned.
- He must assist the controller with security issues of the data, notification in case of data breach and data protection impact assessment taking into account the nature of the processing and the information available to the processing. These obligations are laid down in Articles 32 to 36 of the DPMR.
- It must be provided that at the end of its mission, the subcontractor must delete all personal data made available to him/her by the controller or return them to him/her after destroying the existing copies. It is strongly recommended to have a release signed in this case for more legal certainty.
- Finally, the processor must make available to the controller on a permanent basis all relevant and necessary information to demonstrate that it is fully meeting all of its obligations. Likewise, he shall draw up in good faith audits as requested by the controller. He will necessarily have to act proactively and keep the controller informed if he considers that one of his instructions constitutes a breach of the Regulation or of other provisions of Union or Member State law relating to data protection.
Here are some contractual provisions that we felt it was important to address in the context of the relations that should govern the relationship between a controller and its processor. Similarly, current contracts, i.e. contracts that will have been concluded before the DMPR came into force on 25 May, will need to be reviewed and made compatible with these provisions.
Finally, we can illustrate our point with a decision of the CNIL dated July 18, 2017 against the company HERTZ France, where the latter was sentenced to a financial penalty of 40,000€ for a breach of security and not a breach of personal data.
This attack had a unintentional but accidental nature. It was a programming error during a maintenance schedule “accidental deletion of a line of code when changing servers”. It will be very interesting to see what the future decisions will be in this matter.
What are the standard contractual clauses?
The standard contractual clauses are clauses governing transfers between controllers or controllers and subcontractors. The novelty with the RGPD is that these clauses are no longer subject to the CNIL.
These clauses are referred to in article 46-2 c-d Appropriate safeguards as referred to in paragraph 1 may be provided, without requiring specific authorisation by a supervisory authority, by :
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) ;
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93(2);’.
These clauses can therefore be adopted by the Commission or by a supervisory authority. They can be included in contracts. For example, the Commission took a decision on 5 February 2010 on standard contractual clauses for the transfer of personal data to subcontractors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
The CNIL has proposed contractual clauses for subcontracting: https://www.cnil.fr/sites/default/files/atoms/files/rgpd-guide_sous-traitant-cnil.pdf
It will be interesting to follow the evolutions and institutional recommendations over time.
Can you tell us more about BCR?
Binding corporate rules or BCR BINDING CORPORATE RULES are governed by section 47 of the GDR. They are defined by the DPMR as: “The internal rules on the protection of personal data applied by a controller or processor established in the territory of a Member State for transfers or a set of transfers of personal data to a controller or sub-processor established in one or more third countries within a group of undertakings, or a group of undertakings engaged in a joint economic activity;”.
They are therefore internal rules governing, inter alia, data transfers of a personal nature to countries outside the European Union within a group of undertakings. HCBs can also be described as a code of conduct that defines the data transfer policy for each entity of the group and for employees (Article 47-1 a).
According to this Article: “The competent supervisory authority shall approve binding corporate rules in accordance with the consistency checking mechanism…”. provided for in Article 63provided that:
(a) these rules are legally bindingand are implemented by all the relevant entities of the group of undertakings or group of undertakings engaged in a joint economic activity, including their employees ;
(b) they expressly confer on the data subjects enforceable rights with regard to the processing of their data of a personal nature; and (c) they meet the requirements set out in paragraph 2″.
The BCR can be used for a range of companies who are involved in a joint economic activity and not linked to the same group head. SCBs may be adopted by the Lead Supervisory Authority to regulate transfers carried out by a group in its capacity as controller or sub-contractor. For Multinationals with subsidiaries that do not have an adequate level of personal data, SCBs are a good solution.
BCRs guarantee the guiding principles :
- Purpose limitation,
- Minimization in data collection,
- Implementation of appropriate technical and organisational security measures, Guarantee of the rights of the persons concerned, Definition and implementation of audits, Guarantee of constant communication with the Lead Supervisory Authority,
- Training on personal data protection in all entities covered by the BCRs.
What are the advantages and disadvantages of BCRs?
The BCRs constitute a contract between two parties and must therefore be signed by all legal that adhere fully or partially to be applicable. A register associated with the processing register will have to be kept, to identify the Entities of a group that are members and their level of membership (Accountability).
It seems to me that it would be wise to illustrate this definition of some concrete examples.
The CNIL has authorized numerous transfers following the adoption of such rules (BCR) (CNIL Deliberations no. 2015-137 dated May 7, 2015, JORF no. 0138, June 17; CNIL Deliberation no. 2016-038, February 18, 2016, JORF no. 0048 February 26, 2016.
Data controllers and processors are strongly advised to to consult them for information and support purposes.
Finally, the G29 had at the time published information on the rules to be respected in the framework of these binding corporate rules. To conclude, on 6 February 2018, so very recently, the G29 adopted the “working document on binding corporate rules for processors”. which illustrates the value of these rules.
To take advantage of support in bringing your company into compliance with the DPMR, you can can contact Mastaneh Djazayeri from Alpha Conseils Technologie at the following email address [email protected].