Yesterday, I looked in to the first half of the European Data Protection Board’s (EDPB or Board) final guidelines on how to determine who are controllers and processors under the General Data Protection Regulation (GDPR). Today, I will examine the second half of the guidelines, which detailed the consequences of the terms controller, processor, joint controller, and others.
In the second half of the guidelines, the EDPB turned to the consequences of these terms and relationships between them. The Board stated:
A distinct new feature in the GDPR are the provisions that impose obligations directly upon processors. For example, a processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality (Article 28(3)); a processor must maintain a record of all categories of processing activities (Article 30(2)) and must implement appropriate technical and organisational measures (Article 32). A processor must also designate a data protection officer under certain conditions (Article 37) and has a duty to notify the controller without undue delay after becoming aware of a personal data breach (Article 33(2)). Furthermore, the rules on transfers of data to third countries (Chapter V) apply to processors as well as controllers. In this regard, the EDPB considers that Article 28(3) GDPR, while mandating a specific content for the necessary contract between controller and processor, imposes direct obligations upon processors, including the duty to assist the controller in ensuring compliance.
Under the GDPR, controllers are generally responsible in the ordinary course of processing (unless a processor starts processing data for its own purposes or some of the other processor-specific responsibilities are at play) and is responsible for a processor’s guarantees regarding the security of the processing, to cite one area. Accordingly, the Board contended that controllers must use “only processors providing sufficient guarantees to implement appropriate technical and organisational measures.” And so, the EDPB continues, controllers must assess the sufficiency of a processor’s guarantees, which will often “will require an exchange of relevant documentation.” The Board cautions that as the circumstances of personal data processing differ widely from controller to controller and processor to processor, it is not possible to “provide an exhaustive list of the documents or actions that the processor needs to show or demonstrate in any given scenario” whether the processor possesses the appropriate technical and organizational measures. The Board suggests some of the types of documents and processes that may suffice but leaves this consideration open-ended. Nonetheless, the EDPB does offer general guidance:
- The following elements should be taken into account by the controller in order to assess the sufficiency of the guarantees: the processor’s expert knowledge (e.g. technical expertise with regard to security measures and data breaches); the processor’s reliability; the processor’s resources. The reputation of the processor on the market may also be a relevant factor for controllers to consider.
- Furthermore, the adherence to an approved code of conduct or certification mechanism can be used as an element by which sufficient guarantees can be demonstrated. The processors are therefore advised to inform the controller as to this circumstance, as well as to any change in such adherence.
The EDPB stressed that controllers have an ongoing responsibility to ensure a processor offers sufficient guarantees that does not end when a contract of legal instrument for the processing is signed.
The Board provides its advice on what contracts between controllers and processors should look like. The EDPB recites Article 28(3) all data processing must be performed pursuant to a contract or “other legal act” between a controller and processor. This instrument must be written and in an electronic form, and all non-written contracts will be per se illegal under the GDPR. The Board clarified “legal act” as a national law “or other legal instrument” and stated that unless the legal act contains all the elements of an agreement between controllers and processors, there must be a supplemental contract.
The Board noted parties can negotiate their own contracts or use standard contractual clauses (SCC) adopted either by the European Commission or a supervisory authority. The Board stressed that SCCs need not be used and either a contract or SCCs may meet the GDPR’s requirements. However, the EDPB observed that the data protection clauses of an agreement must match those of a SCC if this is what the parties are relying upon and additional language may be added so long as it does not contradict the SCCs. In any event, the EDPB emphasized that whatever the form of the agreement, it cannot merely be a recitation of the provisions of the GDPR and must “include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.” The Board added that agreements should also “take into account ‘the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.’” The EDPB stated contracts should fit the risks involved in the particular data processing and overly restrictive terms would not likely fit processing with low risks.
The Board interpreted Article 28(3) with respect to the required contents of a contract between controllers and processors:
- the subject-matter of the processing (for instance, video surveillance recordings of people entering and leaving a high-security facility). While the subject matter of the processing is a broad concept, it needs to be formulated with enough specifications so that it is clear what the main object of the processing is;
- the duration of the processing: the exact period of time, or the criteria used to determine it, should be specified; for instance, reference could be made to the duration of the processing agreement;
- the nature of the processing: the type of operations performed as part of the processing (for instance: “filming”, “recording”, “archiving of images”, …) and purpose of the processing (for instance: detecting unlawful entry). This description should be as comprehensive as possible, depending on the specific processing activity, so as to allow external parties (e.g. supervisory authorities) to understand the content and the risks of the processing entrusted to the processor.
- the type of personal data: this should be specified in the most detailed manner as possible (for instance: video images of individuals as they enter and leave the facility). It would not be adequate merely to specify that it is “personal data pursuant to Article 4(1) GDPR” or “special categories of personal data pursuant to Article 9”. In case of special categories of data, the contract or legal act should at least specify which types of data are concerned, for example, “information regarding health records”, or “information as to whether the data subject is a member of a trade union”;
- the categories of data subjects: this, too, should be indicated in a quite specific way (for instance: “visitors”, “employees”, delivery services etc.);
- the obligations and rights of the controller: the rights of the controller are further dealt with in the following sections (e.g. with respect to the right of the controller to perform inspections and audits). As regards the obligations of the controller, examples include the controller’s obligation to provide the processor with the data mentioned in the contract, to provide and document any instruction bearing on the processing of data by the processor, to ensure, before and throughout the processing, compliance with the obligations set out in the GDPR on the processor’s part, to supervise the processing, including by conducting audits and inspections with the processor.
Again, the EDPB explained its view on how this requirement under the GDPR is constructed and then left an out (or uncertainty if one is trying to gauge her compliance) in asserting “other relevant information may need to be included, depending on the context and the risks of the processing as well as any additional applicable requirement.” The Board does not even hint at what “other relevant information” could be required.
The EDPB stated “[t]he processor must only process data on documented instructions from the controller (Art. 28(3)(a) GDPR),” a somewhat self-evident observation under the GDPR the Board expands upon. Controllers should provide documented instructions to processors for each processing activity, and if processors stray outside these instructions, they breach the GDPR and may even become controllers and face additional liability. The Board added that controllers and processors should pay special attention to the transfers of personal data to other nations, particularly in the situation where a processor is suing a subcontracting processor. Each party is such a situation must obey EU law with respect to transfers and is accountable for transfers to nations that do not have adequacy decisions with the EU (e.g., the United States.) Moreover, the controller may have issued instructions to the processor on transfers, and the latter is bound by the former’s directives so long as they comport with the GDPR and EU law. The Board noted EU or member state law may direct processing or transfers by law, and in these circumstances, the agreement can be superseded.
The Board continued by noting that contracts must heed the GDPR on the confidentiality obligations of those people processing personal data. The EDPB also expanded on the “technical and organisational measures” controllers must ensure processors are putting in place:
The contract needs to include or reference information as to the security measures to be adopted, an obligation on the processor to obtain the controller’s approval before making changes, and a regular review of the security measures so as to ensure their appropriateness with regard to risks, which may evolve over time.
The Board reminded controllers that any agreement for processing must specify that processors cannot engage other processors unless the controller is informed. The EDPB added that processors have a duty to aid controllers in responding to a person’s exercise of her GDPR rights. The Board further explained processors must help controllers meet other obligations under the GDPR, and these obligations should be identified in the agreement between them to process data. The Board then detailed some of these obligations:
- Moving on to the specific obligations, the processor has, first, a duty to assist the controller in meeting the obligation to adopt adequate technical and organisational measures to ensure security of processing. While this may overlap, to some extent, with the requirement that the processor itself adopts adequate security measures, where the processing operations of the processor fall within the scope of the GDPR, they remain two distinct obligations, since one refers to the processor’s own measures and the other refers to the controller’s.
- Secondly, the processor must assist the controller in meeting the obligation to notify personal data breaches to the supervisory authority and to data subjects. The processor must notify the controller whenever it discovers a personal data breach affecting the processor’s or a sub-processor’s facilities / IT systems and help the controller in obtaining the information that need to be stated in the report to the supervisory authority. The GDPR requires that the controller notify a breach without undue delay in order to minimize the harm for individuals and to maximize the possibility to address the breach in an adequate manner. Thus, the processor’s notification to the data controller should also take place without undue delay. Depending on the specific features of the processing entrusted to the processor, it may be appropriate for the parties to include in the contract a specific timeframe (e.g. number of hours) by which the processor should notify the controller, as well as the point of contact for such notifications, the modality and the minimum content expected by the controller. The contractual arrangement between the controller and the processor may also include an authorisation and a requirement for the processor to directly notify a data breach in accordance with Articles 33 and 34, but the legal responsibility for the notification remains with the controller. If the processor does notify a data breach directly to the supervisory authority, and inform data subjects in accordance with Article 33 and 34, the processor must also inform the controller and provide the controller with copies of the notification and information to data subjects.
- Furthermore, the processor must also assist the controller in carrying out data protection impact assessments when required, and in consulting the supervisory authority when the outcome reveals that there is a high risk that cannot be mitigated.
The Board stated processors must make available all information necessary for controllers to ensure compliance with the GDPR, including audits and inspections. The EDPB conceded the GDPR is silent on whom shall pay for audits but opined that the agreement for processing should not set an “clearly disproportionate or excessive” cost on audits, regardless of whom is paying, for this would lend itself to audits not occurring.
The EDPB then tries to resolve the tension in the GDPR between a processor’s obligations to follow a controller’s instructions and its obligation to immediately inform the controller if any such instructions impinge the law. Thereafter, a controller must assess whether the instruction does violate the GDPR and then proceed accordingly. However, the Board does not advise a processor to report a controller’s alleged impingement to a supervisory authority.
The next part of the guidelines worth attention pertain to the consequences of joint controllership. The Board observes “Article 26(1) of the GDPR provides that joint controllers shall in a transparent manner determine and agree on their respective responsibilities for compliance with the obligations under the Regulation.” The EDPB construes the word “respective” as entailing a responsibility among joint controllers to determine which shall do what with respect to meeting compliance obligations. The Board envisions a clear allocation of data protection compliance among the parties, most likely so that there are no misunderstandings, gaps, or opportunities for joint controllers to try and pin non-compliance on other controllers. The EDPB suggested “the compliance measures and related obligations joint controllers should consider when determining their respective responsibilities, in addition to those specifically referred in Article 26(1), include amongst others without limitation:
- Implementation of general data protection principles (Article 5)
- Legal basis of the processing73 (Article 6)
- Security measures (Article 32)
- Notification of a personal data breach to the supervisory authority and to the data subject74 (Articles 33 and 34)
- Data Protection Impact Assessments (Articles 35 and 36)75
- The use of a processor (Article 28)
- Transfers of data to third countries (Chapter V)
- Organisation of contact with data subjects and supervisory authorities
As is the case elsewhere in these guidelines, there may always be additional considerations for joint controllers, and the EDPB declined to offer a definitive or exhaustive list of items joint controllers should decide upon.
However, the EDPB pointed out that the GDPR does not require an agreement between joint controllers as it does between controllers and processors, but “for the sake of legal certainty, even if there is no legal requirement in the GDPR for a contract or other legal act, the EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject.” The EDPB noted the GDPR requires that the ‘essence” of a joint controllership arrangement be available to data subjects (i.e. the people whose data is being processed) but is also silent on what constitutes an essence. The EDPB suggests some ways joint controllers could meet this requirement but leaves matters open. The Board also reiterates that people are not bound by the arrangement and may exercise their rights against any or all of the joint controllers regardless of how the processing obligations have been apportioned. Likewise, data protection authorities are not bound by joint controller arrangements and may contact any of the parties for purposes of compliance and enforcement.
The EDPB provided a flowchart “for applying the concepts of controller, processor and joint controllers in practice:”
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.