The Regulation will have a significant impact on service providers/vendors (i.e. data “processors”) and organisations that engage them because:
- The Regulation imposes a number of detailed obligations and restrictions directly on processors, unlike the current Directive that only applies to data controllers
- A processor will be fully liable for the actions of any sub-processor that it uses to provide its services and will be required to flow down its obligations under the Regulation to the sub-processor
- There are significant penalties which can be imposed on processors for failure to comply with their increased responsibilities and individuals have enhanced rights to seek compensation directly from service providers
- The new law is much more prescriptive about the contractual arrangements that must be in place between controllers and processors than under the current Directive
- The new rules are considered in further detail below and will be triggered where:
- The processor is established in the EU (even if the actual processing takes place outside the EU)
- Where the processor offers goods or services or monitors the behaviour of EU-based individuals (even if the processor is not established in the EU). In such circumstances the non-EU based processor must designate an EU representative, unless the data processing is occasional, does not involve sensitive data processing or is not high risk to the individual
Likely practical impact for processors
The Regulation goes beyond the position under the current Directive by imposing a number of obligations directly on processors. This means that service providers now run the risk of direct enforcement action by a supervisory authority in the event of non-compliance with their new obligations, which include the following:
- Stricter requirements for subprocessing. The Regulation contains a new restriction on processors engaging another processor (i.e. sub-processing) without the consent of the controller. A controller may provide a general consent to sub-processing but if it does, the processor is required to inform the controller of any new or replacement sub-processors and the controller has the right to object. Processors must impose the same data privacy obligations on the subprocessors (see below) and will remain fully liable for the sub-processor’s performance.
- Prescriptive terms for contracts with controllers (explained in further detail below).
- Maintain records of processing activities. Most processors will be required to maintain documentation about its data processing activities (unless it employments fewer than 250 people and is not engaged in high risk or sensitive data processing) such as the name and contact information of each controller/s the processor is acting on behalf of, the categories of processing carried out on behalf of each controller and details of transfers to non-EU countries. The processor may also be required to submit the documentation to a supervisory authority if requested to do so.
- Implement Security. Processors will be directly responsible for implementing appropriate security measures. This includes a positive obligation to consider pseudonymisation and encryption, ensure on-going confidentiality, integrity, availability and resilience of systems and services, restore access to data and operate a process to regularly test, assess and evaluate the effectiveness of security measures. The processor must also notify a controller without ‘undue delay’ after becoming aware of a personal data breach
- Appoint a data protection officer. Processors will be required to appoint a data protection officer (‘DPO’) where their core processing activities involve on a large scale (i) regular and systematic monitoring of individuals or (ii) processing of sensitive or criminal data
- Comply with the international data transfer requirements. Processors alongside controllers are responsible for compliance with the data transfer rules. Notably if a processor receives a request from a non-EU court, tribunal or administrative authority to disclosure data held in the EU (and therefore make a data transfer) and it cannot rely on another ground for transfers, this request is only recognised under the Regulation if based on an international agreement (such as a mutual legal assistance treating) in force between the non-EU country and the EU or Member State
- Co-operate with a supervisory authority if requested to do so. Processors will therefore need to consider how they will comply with this obligation in a way that does not amount to a breach of contract with a controller.
Likely practical impact for data processing agreements
For businesses that use processors to provide services on their behalf, one of the most significant changes in relation to data processors’ new obligations is that the Regulation prescribes the terms that must be contained in a written agreement between the controller and processor. The contract must contain more detail than is required under the Directive about the processing the processor is engaged in and in particular must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. This is a significant change for some processors, for example cloud service providers, who currently may know nothing about the data they host.
The processor must also:
- Process the personal data only on ‘documented instructions’ from the controller, including in relation to international data transfers
- Ensure that the processor’s staff are committed to confidentiality
- Take all appropriate security measures as required by the Regulation
- Sub-contract only with the prior specific or general written consent of the controller, flow down its obligations and remain liable for the actions of any sub-processors, as noted above (so deals being negotiated currently should ideally be future-proofed by obtaining this consent now)
- Help the controller respond to requests from individuals
- Assist the controller with data security, data breaches, data protection impact assessments and when consulting with the DPA
- Delete or return all data to the controller at the end of the provision of data processing services and delete existing copies unless required to retain them by law
- Make information available to the controller to demonstrate the processor’s compliance and allow for and contribute to audits
These changes will likely lead to service providers pushing for detailed allocation of risks in their contractual arrangements.
In addition, the Regulation does not specifically address the position in relation to existing contracts or put in place transitional arrangements which means that many service agreements between controllers and processors may need to be renegotiated.
Sanctions for non-compliance
The Regulation proposes penalties of up to 4% of worldwide turnover or €100 million for the most serious data protection breaches which significantly increases the risk to both controllers and processors of data if they fail to discharge their regulatory obligations. DPAs also have extensive supervisory powers, including powers to obtain access to all the personal data a processor holds, access processor premises, issue warnings, order compliance and ban processing. Another significant change is that individuals will also have the right to seek a judicial remedy and claim compensation directly against a processor for infringing their rights as a result of the processor’s non compliance with the Regulation. Additionally where an individual’s rights are violated, the individual may claim in full against the processor, leaving the processor to bring a claim against the controller to recover its share of the liability.
The heightened risks and direct obligations for data processors under the Regulation will therefore very likely impact on negotiations with service providers going forward, particularly in respect of security standards, risk allocation and pricing.
New codes of conduct and certification mechanisms
Controllers are expressly required by the Regulation to appoint only processors that are able to provide sufficient guarantees to the effect that they can provide their services in compliance with requirements of the law and ensure the protection of the rights of individuals. The Regulation also encourages the drawing up of codes of conduct and certification mechanisms by data protection authorities, the European Data Protection Board, the Commission, associations and industry bodies. It is therefore likely that sophisticated processors will seize upon the opportunity to demonstrate sufficient guarantees by adherence to these new codes of conduct and certification mechanisms although adherence to a code or scheme brings with it greater scrutiny, and if there is a failure, the prospect of being publicly suspended or excluded from the code or scheme.
What to do now
- Controllers should identify all current contracts with data processors and their renewal dates, in order to develop a plan for bringing them into compliance with the Regulation.
- Future proof deals being negotiated now. Controllers and processors should carefully document the responsibilities of the parties and specifically take into account the forthcoming changes when deciding on providing consent for subprocessors, pricing, security standards and risk allocation.
- Processors should identify any aspects that have significant impact on their business operations and start preparing for their increased obligations.
- Consider appropriate outreach actions, for example to contribute to new codes of conduct and certification mechanisms in conjunction with relevant industry bodies and associations.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.