The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
This is the seventh in a series of articles addressing the top 10 operational impacts of the GDPR.
Clarifying duties and responsibilities of controllers and processors
In its effort to protect and expand the rights of data subjects, the GDPR creates clear lines of accountability over data processing. This is especially evident in the way it delineates responsibilities between “controllers” and “processors” for handling personal data.
Under the Directive, data processors had duties of confidentiality and security. The Directive allowed them to act only with instructions from the controller, under contract, and to provide controllers with assurances of adequate technical and administrative measures to protect personal data.
The GDPR expands significantly upon the controller’s responsibility for processing activities and sets out specific rules for allocating responsibility between the controller and processor.
The Regulation’s more detailed requirements for controller-processor contracts may compel some data controllers to reassess their vendor agreements to achieve compliance. Processors not only have additional duties under the GDPR, moreover, they also face enhanced liability for non-compliance or for acting outside the authority granted by a controller. Nonetheless, the burden for personal data protection under the GDPR still rests primarily with controllers.
Burden on Controllers
The GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” The controller, therefore, is the entity that makes decisions about processing activities, regardless of whether it actually carries out any processing operations.
Article 24 makes controllers responsible for ensuring that any processing activities are performed in compliance with the Regulation. Controllers must “implement appropriate technical and organisational measures” not only to ensure compliance, but also to be able to demonstrate the measures that they have in place.
Controllers also have specific responsibility for:
- Carrying out data protection impact assessments when the type of processing is “likely to result in a high risk to the rights and freedoms of natural persons” and implementing appropriate technical safeguards.
- Assuring the protection of data subject rights, such as erasure, reporting and notice requirements, and maintaining records of processing activities.
- Duties to the supervisory authority, such as data breach notification and consultation prior to processing.
While the Regulation imposes these heightened requirements on controllers, it is important to note that it also relaxes one of the requirements that existed under the Directive. Controllers will no longer be required to register their processing activities with a Data Protection Authority (DPA) in each member state. Instead, the GDPR imposes strict requirements on controllers to maintain their own detailed records of processing.
The GDPR allows controllers to demonstrate their compliance with the Regulation by adhering to codes of conduct and certifications that were approved by DPAs in the relevant member states. The Regulation also encourages controllers to implement the principles of data protection by design and by default, where feasible. In essence, this means that controllers should design products with privacy in mind, rather than tacking it on as an afterthought, and that privacy-protective settings should be the default in any product.
Selecting processors
Controllers are liable for the actions of the processors they select and responsible for compliance with the GDPR’s personal data processing principles. Under the GDPR, the term “processor” means a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” In other words, while the controller is the entity that makes decisions about processing activities, the processor is any entity contracted by the controller for carrying out the processing. If a processor acts as a controller or outside the scope of authority granted by a controller, however, then the Regulation treats the processor as a controller for the relevant processing and it becomes subject to the provisions regarding controllers.
When selecting a processor, controllers must only use processors that provide sufficient guarantees of their abilities to implement the technical and organizational measures necessary to meet the requirements of the GDPR. For example, if a controller uses binding corporate rules or standard contractual clauses as an appropriate safeguard for cross-border data transfers, controllers should bind processors they select to those rules or terms. Unlike the Directive, which was largely silent on the matter, meeting the “sufficient guarantees” obligation can be accomplished under the GDPR through the use of an approved code of conduct or certification mechanism.
The controller should also consider carrying out a data protection impact assessment prior to selecting a processor. The Recitals suggest that such an assessment is prudent in all cases, but is particularly vital when the parties are handling sensitive personal data. The controller ignores at its peril signs that using a particular processor may involve high risk to personal data. The best approach if the controller wishes to proceed with that processor is to consult the relevant data protection authority first.
Once a processor is selected, the relationship between controller and processor should be governed by a contract or other legal act under Union or Member State law. The contract should contain provisions regarding the tasks and responsibilities of the processor. These provisions include how and when data will be returned or deleted after processing, and the details of the processing, such as subject-matter, duration, nature, purpose, type of data and categories of data subjects. The controller and processor may also choose to use standard contractual clauses adopted by the Commission.
Processors’ additional duties and restrictions on subcontracting
The GDPR prescribes specific obligations of processors in addition to contract terms between controllers and processors. Processors’ duties are primarily to controllers, including requirements to: (a) process data only as instructed by controllers; (b) use appropriate technical and organisational measures to comply with the GDPR; (c) delete or return data to the controller once processing is complete; and (d) submit to specific conditions for engaging other processors.
The processors’ restrictions on subcontracting bear special attention. Under the GDPR, processors are prohibited from enlisting another processor without prior specific or general written permission of the controller. In either case, controllers retain the right to object to the addition or replacement of processors. Thus, if a processor enlists a subprocessor based on the controller’s general consent, Article 28 requires the processor to inform the controller so that it may have the opportunity to object. Sub-processors also are subject to the same requirements under the GDPR and they too are bound by any contracts with the controller.
While the controller is responsible for maintaining records of processing activities, processors are responsible for maintaining records of all categories of personal data processing carried out on behalf of the controller. These records should contain contact information for the processor(s) and the controller(s), the categories of processing carried out for each controller, information on cross-border transfers if applicable, and a general description of the implemented technical and organizational security measures.
Joint controllers
Article 26 provides specific provisions for when “two or more controllers jointly determine the purposes and means of processing.” Joint controllers are required to create an agreement determining their respective duties to comply with the Regulation. The agreement must be available to data subjects and may designate one point of contact amongst them for data subjects. Regardless of the allocation of responsibility set out in the contract, data subjects are entitled to enforce their rights against either controller. Therefore, each joint controller is individually liable for compliance with the Regulation.
Data breach responsibilities
In the event of a personal data breach, processors are required to notify the controller without “undue delay” if it happens on the processor’s watch. The burden falls on the controller, then, to notify the supervisory authority within 72 hours of becoming aware of the breach. If notification is not made within 72 hours, controllers are required to provide a reasoned justification for the delay. Controllers are also responsible for documenting personal data breaches, including the facts of the breach, its effects, and remedial actions.
For more on this subject, see part 1 in this series.
Liability and penalties
Controllers are liable for the damage caused by processing “which infringes” the GDPR. Processors, on the other hand, are liable “only where it has not complied with the obligations of [the GDPR] specifically directed to processors or acted outside or contrary to lawful instructions of the controller.” In other words, parties bringing claims against processors under the GDPR must prove an additional element apart from damage and general noncompliance, namely, that the processors have violated one of their specific legal duties or contractual obligations.
When non-compliance is established, the burden shifts to controllers and processors to prove they are not responsible for the damage in any way.
When the controller and processor are joined in the same judicial proceedings, liability for damages may be apportioned among them according to their respective responsibility for the harm, as long as the data subject(s) receive full compensation. Additionally, controllers or processors who have paid the entire compensation may institute proceedings against other controllers or processors involved in the same processing to claim back the portion(s) for which they are not responsible.
photo credit: Unionization and New Media via photopin (license)