GDPR – Obligations of data processors

This update aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR), applicable as from 25 May 2018. This month’s issue discusses the (new) obligations for data processors.

What is new? 
The concept of a data processor remains the same under the GDPR as it was under the Data Protection Directive (Directive 95/46/EC). The ‘data processor’ is the natural or legal person, public authority, agency or other body, which processes personal data on behalf of the data controller.

The most relevant change under the GDPR compared to the Directive is that the GDPR imposes direct compliance obligations on data processors resulting in direct enforcement measures (including serious penalties) if they do not comply. Where data processors currently have no direct interaction with the Data Processing Authorities (DPA’s), under the GDPR they will be required to cooperate with the DPA’s upon their request.

However, in practice, these GDPR requirements should not be entirely new for data processors, as most of the obligations under the GDPR are currently already contractually imposed on data processors in “data processing agreements”.

Data processing agreements
The GDPR, in contrast to the Directive, explicitly states which obligations needs to be covered in a written data processing agreement. In particular, it is expressly provided that the data processor:

  • only acts on the data controller’s documented instructions, unless Union or Member State law to which the processor is subject, determines otherwise;
  • imposes confidentiality obligations on all personnel involved in processing the relevant data;
  • must ensure the security of the personal data by implementing the measures (see last month’s update);
  • abides by the rules regarding the engagement of sub-processors (prior authorization needed of the controller and sub-processors must be appointed on the same terms as are set out in the contract between the data controller and the data processor);
  • assists the data controller, where possible, with implementing measures to comply with the rights of data subjects;
  • assists the data controller in obtaining approval from the relevant DPA’S;
  • at the data controller’s request, either returns or destroys the personal data at the end of the agreement (except as otherwise required by Union or Member State law); and
  • provides the data controller with all information necessary to demonstrate compliance with the GDPR.

Records of data processing activities
Under the GDPR, also data processors will be required to keep records of their data processing activities in order to be able to provide information included in those records to the DPA’s, upon request. Records should include: (i) details of the data controller and data processor and their representatives; (ii) the categories of processing activities that are performed; (iii) information regarding cross-border data transfers and; and (iv) a general description of the security measures that are implemented.

Data security obligations & Data breach reporting
Data processors are required to ensure the security of personal data that they process. Whereas (if at all), such obligation now only exist in data processor agreements, the GDPR now explicitly provides that data processors must notify data breaches to the data controller without undue delay. For more information about this subject, please read last month’s update.

Obligation to appoint a DPO
To the extent that the GDPR requires the appointment of a DPO, that requirement applies to data processors as well. For more information about the requirements of the DPO, please read one of our previous updates.

Restrictions on cross-border data transfers 
Cross-border data transfers are restricted unless the data is transferred to a country that guarantees an ‘adequate’ level of protection. We will discuss the data transfer prohibition and exemptions and derogations in a later GDPR-update. Under the GDPR, the rules regarding data transfers will apply directly to data processors.

Non-EU data processors 
Data processor located outside the EU will now also be captured, and will have direct statutory obligations for their activities as data processors under the GDPR. This will be the case if they undertake processing activities which are related to (i) the offering of goods or services to data subjects within the EU, or (ii) monitoring the behavior of European data subjects – as far as their behavior takes place within the EU.

Liability of data processors
Under the GDPR, data subjects can bring claims directly against data processors. Each data controller and data processor can be held liable for the damage suffered by a data subject as a result of non-compliance, and can be ordered to effectively compensate the data subjects involved. Such claims will, however, only result in liability for damages caused by the processing activities where the data processor has: (i) not complied with directly applicable obligations for data processors under the GDPR; or (ii) departed from the instructions of the data controller and acted on its own decisions. Where a data processor has paid damages that are partly or fully attributable to the data controller, the data processor is entitled to claim back the (relevant part of the) damages from the data controller.

What does the introduction of the GDPR mean for your organization and how can you prepare for it?

If you are a data controller:

verify whether the data processing agreements you entered into include all obligations that need to be covered under the GDPR. 

If you are a data processor:

  • Start identifying the processing activities you carry out and start keeping records thereof;
  • Set up internal procedures and protocols and appoint responsible persons for identifying, reviewing and notifying data breaches to the data controller;
  • Consider whether it is required to appoint a Data Protection Officer.