News
Data Processing Agreement and its new challenges
The long-expected General Data Protection Regulation (GDPR) comes with new, specific requirements for data processing agreements, as the required pre-requisite for co-operation between the data controller and processor.
The agreement itself is not a novelty. It has been required by national laws (and the directive) for years. However, the regulation was, at least in the Czech Republic, very limited (basically governed by a single paragraph of Section 6 of the Czech Personal Data Protection Act). In compliance with the said paragraph, personal data processing agreement must be made in writing, it shall explicitly stipulate the scope, purpose and period of time for which it is concluded and must contain guarantees by the processor related to technical and organisational securing of the protection of personal data.
Following these minimalistic requirements there was not much importance given to such contracts by controllers and processors. Moreover, obligation to have such agreement, governing relationship between the controller and its processor, was quite often ignored or, at least, underestimated. One of the reasons was, there was no sanction connected with breach of Section 6 of the Personal Data Protection Act.
This is going to be changed soon with the effectiveness of GDPR. Not only does it significantly extend the content requirements, the breach of obligations of the controller or the processor under Article 28 of the GDPR amounts to an infringement sanctioned with the administrative fine of up to EUR 10,000,000 or 2% of the global annual turnover in accordance with the Article 83 (4) point (a) of the GDPR.
How do the controllers and processors react on the change? Quite often, they apply the quickest and (on the first sight) simplest solution - they copy and paste the wording of GDPR's Article 28 to fulfil the requirements of the regulation. But do controllers and (especially) processors give the second thought to all the obligations they are entering into?
Let's focus on some provisions of Article 28 (3) of the GDPR. For example, under point (e) the contract between the controller and processor shall stipulate that the processor, taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III (of the GDPR). Now imagine that this general provision will be implemented without any change into a data processing agreement between a cloud service provider and a company making tires. Both parties will be satisfied that they are compliant with Article 28 of the GDPR and that they have everything formally covered. But what would be the real impact on the data processed by the processor for the controller?
Let's imagine that the controller uses cloud-based CRM system storing the personal data of the controller's customers in the cloud provided by the processor. Then, one day, one former employee requests the controller not to be evidenced by the controller as a contact person of its former employer anymore. Now, the controller forwards this request to the cloud service provider with the instruction that it needs to erase Mr. XY from all its databases connected to the CRM system. The cloud service provider logically replies that it cannot even recognise the data stored in the cloud by the controller and that deletion should be performed by the controller. The controller, however, insists, emphasising that the cloud service provider is the expert in the area and the controller's employees do not know how to erase all data properly. And, what might be crucial, under the data processing agreement the processor undertook to assist the controller in such situations. Our description will stop here so not to enter into sheer fable.
The point is that such "regular" situation may lead to serious conflicts between the controller and the processor. The wording of the provision in question is so general that it is clearly open for interpretation even to the point when controller will expect the processor to respond to requests of the data subject's, i.e. the pure copy and paste procedure may result in situation, when the processor takes over the factual fulfilment of all (or most) of the controllers obligations (or that the controller may interpret it that way).
This contemplation leads to another problematic point - the scope of the data processing agreement. The GDPR explicitly states that the contract "shall stipulate, in particular, that the processor....". The regulation insists that every processor shall undertake to process the personal data only on documented instructions from the controller, assist controller with several of its obligations, allow for and contribute to audits and so on. This naturally applies also to the cloud service providers, who mostly have their contracts designed as standard form contracts. As a cloud service provider, most of the clients will expect that the provider is an expert in this field. This puts cloud service providers and other processors which are professionals in their field, under bigger pressure. The controllers are likely to engage them based on their expertise.
Under Section 5 (2) of the Czech Civil Code, "a person who offers professional performance as a member of an occupation or profession, whether publicly or in dealings with another person, demonstrates his ability to act with the knowledge and care associated with his occupation or profession. If the person fails to act with such professional care, he bears the consequences." Following this, Section 2950 thereof states that "A person who offers professional performance as a member of a vocation or profession, or otherwise acts as an expert, shall provide compensation for damage caused by his provision of incomplete or incorrect information or harmful advice provided for consideration in a matter related to his expertise or skill."
It is important to emphasize that especially the word "assist" used in Article 28 of the GDPR is very broad. It seems highly desirable, to specify the form of assistance in the agreement in accordance with the nature of the processing.
To sum up the above stated, the cloud service providers and other processors should be very careful, how they formulate their obligations under data processing agreements in order to prevent any misunderstanding of their obligations towards the controllers (and possible liabilities arising from such misunderstandings). Especially, they should make sure the controllers understand not only the scope of services they are to receive, but also the scope of personal data protection, which is not provided by the processor (at least not free of charge).
This brings us to another topic - GDPR does not prevent the processors to provide assistance and other obligations under the processing agreement for a charge. For example, under point (h) of article 28 (3) of the GDPR, the processor makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in the article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
This is an obligation, where costs of an inspection should be clarified in the data processing agreement in order to prevent any arguments. Both sides can say that the cost should be borne by the other - the controller may say that since it is the processor's obligation, the costs should be on its side; the processor may argue that the controller initiated the audit and so it should pay for it. The argument may lead even to the court proceedings. As such, it is very important to clarify the issue of covering the costs. Especially, when some of the services represent realisation of the data subjects' rights, which the controller must ensure for free.
From personal data protection agreement viewpoint, GDPR brings a lot of challenges. From the necessity to amend the existing ones (which from the scope, specificity, etc.) do not comply with GDPR, up to finding a functional balance between the formal and (unfortunately) not realistic expectations of its Article 28 and the real life. In any case - signing a personal data processing agreement will not anymore be a formal step since May 2018.
Article provided by: Ivana Nemčeková and Tomáš Nielsen (NIELSEN MEINL, advokátní kancelář, s.r.o. / Czech Republic)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010