What’s the deal?
The Regulation will have a significant impact on service providers/vendors (i.e. data “processors”) and organisations that engage them because:
- The Regulation imposes a number of detailed obligations and restrictions directly on processors, unlike the current Directive that only applies to data controllers
- There are significant penalties which can be imposed on processors for failure to comply with their increased responsibilities
- The new law is much more prescriptive about the contractual arrangements that must be in place between controllers and processors than under the current Directive
- If processors act outside the authority given to them by controllers, they may be deemed a joint controller and therefore held to an even higher standard of accountability.
The new rules are considered in further detail below and will be triggered where:
- The processor is established in the EU
- EU law applies to the activities of the controller.
Likely practical impact for processors
The Regulation goes beyond the position under the current Directive by imposing a number of obligations directly on processors. This means that service providers now run the risk of direct enforcement action by a supervisory authority in the event of non-compliance with their new obligations, which include the following:
- Maintain documentation. Most processors will be required to maintain documentation about the processing operations under their responsibility, such as the name and contact information of the controller/s the processor is acting on behalf of, the purposes of the processing, any legitimate interests pursued by the controller (where relevant) and information about retention periods. The main difficulty with this provision is that much of the information that is required will be information about the controller, but the obligation to maintain it lies with both parties which, in practice, means that controllers and processors will be required to document their relationship and the processing activities in much more detail. The processor may also be required to submit the documentation to a supervisory authority if requested to do so
- Implement Security. Processors will be directly responsible for implementing appropriate security measures and must also alert and inform a controller immediately after the establishment of a personal data breach
- Carry out data protection impact assessments. The Regulation requires impact assessments to be carried out when processing operations present certain specified risks, either by the controller or the processor acting on their behalf
- Obtain prior authorisation or undertake prior The processor will be required to consult or obtain prior authorisation from the relevant supervisory authority prior to certain processing activities being undertaken
- Appoint a data protection officer. Many processors will be required to appoint a data protection officer if certain thresholds are met
- Comply with the international data transfer requirements
- Co-operate with a supervisory authority if requested to do so, for example by submitting documentation to demonstrate compliance with the above responsibilities.
Likely practical impact for data
For businesses that use processors to provide services on their behalf, one of the most significant changes in relation to data processors’ new obligations is that the Regulation prescribes the terms that must be contained in a written agreement between the controller and processor. The specific requirements which must be placed on processors are as follows:
Only to act on the instructions from the controller, in particular where the transfer of personal data is prohibited
- Ensure that the processor’s staff are committed to confidentiality
- Take all security measures as required by the Regulation
- Sub-contract only with the prior permission of the controller (so deals being negotiated currently should ideally be future-proofed by obtaining this consent now)
- Agree with the controller the necessary technical and organisational requirements for fulfilment of data subjects’ rights in accordance with the Regulation
- Assist the controller with complying with the breach notification, data protection impact assessment and prior authorisation obligations contained in the Regulation
- Hand over results at the end of the processing and not process data otherwise
- Make information available to the controller and supervisory authority in certain circumstances.
These changes will likely lead to service providers pushing for detailed allocation of risks in their contractual arrangements.
In addition, the Regulation does not specifically address the position in relation to existing contracts or put in place transitional arrangements which means that many service agreements between controllers and processors may need to be renegotiated.
According to the draft Regulation, where a processor processes personal information other than as instructed by the controller, it will be considered a controller in respect of that processing and subject to the prescribed rules regarding joint controllers. These include an obligation on the joint controllers to define their respective responsibilities and agree on who will conduct the necessary procedures for subject access requests. It is unclear how this provision will work in practice, but it will likely require controllers and processors to document the processor’s tasks in more detail. It may also have significant impact on the way that cloud service providers manage their services in Europe, which could impact the costs of such services going forward. However, the Council has deleted this provision from its latest text.
Sanctions for non-compliance
The Regulation proposes penalties of up to 2% of worldwide turnover or €100 million for the most serious data protection breaches which significantly increases the risk to both controllers and processors of data if they fail to discharge their regulatory obligations. In particular, it is a significant change from the current Directive that processors will be directly liable for certain fines when there has been a breach which will very likely impact on negotiations with service providers, particularly in respect of security standards, risk allocation and pricing.
New codes of conduct and certification mechanisms
Controllers are expressly required by the Regulation to appoint only processors that are able to provide sufficient guarantees to the effect that they can provide their services in compliance with requirements of the law. The Regulation also encourages the drawing up of codes of conduct and certification mechanisms by data protection authorities, the Commission, associations and industry bodies. It is therefore likely that sophisticated processors will seize upon the opportunity to demonstrate sufficient guarantees by adherence to these new codes of conduct and certification mechanisms and those who do so will have a competitive advantage.
What to do now
- Future proof deals being negotiated now. Controllers and processors should carefully document the responsibilities of the parties and specifically take into account the forthcoming changes when deciding on providing consent for sub-processors, pricing, security standards and risk allocation.
- Processors should identify any aspects that have significant impact on their business operations and start preparing for their increased obligations.
- Consider appropriate outreach actions, for example to contribute to new codes of conduct and certification mechanisms in conjunction with relevant industry bodies and associations
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.