The GDPR: Controller, Processor and Data Processing Agreement
Do you outsource your payroll administration to an administrative office? Then you are the ‘controller’ and the administrative office is a ‘processor’ according to the General Data Protection Regulation (GDPR).
The controller determines the purposes and the means of the processing of personal data. You decide what the administrative office must do with the personal data of your personnel.
The processor processes personal data on the instruction and on behalf of the controller, his client. There is a processor if his assignment focuses primarily on processing personal data. If the processing of personal data is an additional activity ensuing form another main task, he is not considered to be a ‘processor’.
Internet service providers, SaaS-providers, call centres and online-marketing agencies are often used as examples for processors. Unfortunately in practice it is not always easy to determine which role a party has within a specific relation. An independent accountant for example is a processor if he carries out the payroll administration for a client, but he is most likely an independent controller if he has received a wide ranging assignment from that same client without clear instructions. In the latter role he fulfils an independent position and he determines the purpose and the means.
In a former blog we gave you ten tips to be ready for the GDPR. In this blog I will explain tip number 6 in more detail: verify your “data processing agreements”. If you have not entered into data processing agreements with specific processors so far, the advice would be to conclude an agreement as of yet that meets the requirements of the GDPR.
Does the processor meet the requirements of the GDPR?
First of all the GDPR requires the controller to make a reasoned choice for a specific processor and also to verify whether the processor meets the GDPR requirements. The controller carries the primary responsibility and the duty to show that he has chosen “a processor who offers sufficient guarantees with regard to the application of technical and organisational measures in order to have the processing meet the GDPR requirements and that the protection of the rights of the involved is safeguarded.”
And this is quite a lot, certainly if there is a small controller and a large processor or if there is a lack of knowledge from the part of the controller. Can you picture yourself going to see the Microsofts of the world in order to perform a safety investigation?
Third Party Memorandum
The GDPR makes allowances for the controller by determining that the adherence of the processor to approved codes of conduct or approved certification may be used as an element that demonstrates compliance with ‘appropriate guarantees’.
Processors can also convince the controllers through a Third Party Memorandum that they are a trustworthy party. A Third Party Memorandum or third party statement is a statement from an independent auditor who has given an assessment as to whether the organisation of the processor has met the requirements imposed by the GDPR.
Data Processing Agreement
The GDPR moreover stipulates that a written (or electronic) agreement must be concluded between the controller and the processor and it puts demands on the contents of that data processing agreement. Article 28 of the GDPR sums up an entire list of elements which must particularly be included in a data processing agreement, such as:
- the subject-matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and the categories of data subjects;
- the duty of the processor to process the personal data only for the controller and not for himself or third parties;
- the duty to take appropriate technical and organisational security measures, including an obligation of confidentiality and a limitation of access to the data on the basis of a strict need-to-know-basis;
- no engagement of another processor without prior authorisation from the controller;
- observance of the rights of the data subjects and adherence to those rights (for example the right of a data subject to have personal data corrected);
- cooperation in Privacy Impact Assessments (or Data Protection Impact Assessments) and in investigations by the Dutch Data Protection Authority;
- duty to return or delete the personal data at the end of the relation (in so far as there is no retention obligation).
The controller must verify whether his existing data processing agreements fulfil all these requirements and conclude new agreements if this should be necessary.
Even though it is the responsibility of the controller to conclude a data processing agreement with each of his processors in practice it often happens that a processor suggests his own standard data processing agreement which is focused on his specific service.
Eventually the concrete contents of a data processing agreement are tailor-made and the result of negotiations. Negotiations within the scope of a data processing agreement are, for example, entered into with a view to risk allocation. The privacy law lawyers of PlasBossinade are gladly prepared to assist you with drafting or verifying a data processing agreement or with negotiations about it.
In the next blog in this series the requirements imposed by the GDPR on a privacy notice shall be dealt with in more detail.