Impact on data processors

In brief

Under the Regulation, data processors are acquiring many more direct obligations for data protection compliance than is the case under existing law.

There are new requirements for contracts between data controllers and data processors.  This will require data controllers to review their existing contracts and amend them as necessary, as well as ensure that the requirements are dealt with in new contracts.

Background

In the current EU data protection regime established under Directive 95/46/EC, the onus for data protection compliance sits with data controllers (ie those organisations that determine the purposes for which and the manner in which personal data are processed).  It is therefore data controllers who are responsible for the acts and omissions of data processors that they appoint to process personal data on their behalf.  Data processors are not directly responsible for compliance with the EU data protection rules in respect of processing that is within the scope of their appointment by the data controller (although they may have contractual liability to the data controller).

Changes

Under the Regulation it is proposed that data processors acquire more direct responsibility for data protection compliance alongside data controllers.  The application of the Regulation to data processors is made clear from the outset in Article 3 (Territorial Scope) where the Regulation states that it applies to the processing of personal data in the context of the activities of “an establishment of a controller or a processor” in the EU.

Whilst the majority of obligations are still expressed as sitting with data controllers, there are a number of instances where data processors are referred to and therefore acquire their own compliance responsibility.  For example:

  • Article 26 (Processors) – data processors must obtain the written consent of controllers before appointing sub-processors.  Processors must ensure that contracts with sub-processors include the same data protection obligations as are found in the contract between the processor and controller.  “Initial” processors will remain fully liable for the failure by sub-processors to comply with their data protection obligations
  • Article 28 (Records of Personal Data Processing) – data processors must maintain records of all personal data processing, including details of the processor, the  controller, the data protection officer, categories of data processing and categories of overseas transfers of data.  The processor’s records must be available for inspection by supervisory authorities
  • Article 30 (Security of Processing) – data processors will have their own duty to ensure that appropriate organisational and technical data security measures are put in place to protect personal data (as opposed to the imposition of that duty through a contract with the data controller)
  • Article 31 (Notification of Security Breaches) – data processors will have a duty to notify data controllers of any security breach without undue delay after becoming aware of the breach
  • Article 35 (Designation of a data protection officer) – data processors must appoint a data protection officer, in the same way as will be required of data controllers, where required by EU law or the law of a Member State.

As regards the relationship between the data controller and the data processor the requirements of the Regulation closely follow the requirements of existing law.  There are, however, a couple of notable differences. The contract between the data controller and data processor must for example, require the data processor to:

  • assist the controller in complying with data subjects’ rights provided for under the Regulation.  These data subjects rights include the right of access data (often dealt with in data processor contracts) but also new rights such as the right to data portability and the “right to be forgotten”
  • make available to the controller all information necessary to demonstrate compliance with its obligations and allow onsite inspections by the controller
  • obtain the controller's consent to use of a sub-processor
  • delete/return all data.

Analysis

The Regulation makes a number of explicit references to compliance with the requirements of the Regulation by processors, as noted above. Service providers in industries such as the outsourcing or data storage markets will have to think very carefully about the impact of these responsibilities on their business.  These responsibilities will inevitably lead to greater administration and internal cost for processors, which is likely to be passed on to their customers. As regards the relationship with between data controllers and data processors, there will be a number of issues to be addressed by both sides as a consequence of the implementation of the Regulation, including:

  • the additional requirements to be included within data processor contracts.  These will apply to new data processor contracts but will also apply to existing contracts and therefore data controllers will have to re-visit existing data processor contracts
  • the apportionment of liability between data controllers, data processors and sub-processors will have to be considered very carefully.  Up until now the equation has been relatively simple.  Data controllers have been responsible for the acts and omissions of processors and therefore have looked to back that off in the contract, often through the use of uncapped indemnities.  Given the massive increase in potential fines under the Regulation, the obligation on processors to pass obligations on to sub-processors, and the fact that processors will have their own liability under the Regulation as well as liability for the breaches of sub-processors, it seems likely that data processors will take a more cautious approach to accepting a simple pass through of liability from data controllers. 

Conclusion

The relatively clean split in responsibility between data controllers and data processors in the existing EU data protection law is going to be replaced with a somewhat more complex regime, where both data controller and data processor have, to a greater or lesser extent, their own obligations with respect to the data they are handling.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.