While under current Directive 95/46, data controller[1] remains legally responsible for any personal data processed by data processor[2], position of GDPR[3] is to impose directly a number of obligations on data processor in order to ensure much more protection of personal data.
These obligations include maintaining documentation on processing[4], co-operating with a supervisory authority[5], implementing security[6], notifying of a personal data breach to the controller[7], doing data protection impact assessment[8], obtaining prior authorization from the relevant supervisory authority prior to processing, appointing Data Protection Officer[9], complying with the international data transfer requirements[10].
Frequency of the word “processor” v “controller” in Directive 95/46 is 11 to 59. This ratio in GDPR is 264 to 504, which means “processor’s” frequency is slightly less than triple in new Regulation.
As to obligation of security implementation by a processor, under Article 17 of Directive 95/46, controller who determines literally purpose and means of processing has the obligation to ensure, through contract and legal acts with the processor, that the latter provides sufficient guarantees to technical security and organizational measures governing the processing[11]. If the processor doesn’t comply with the terms of the contract, special clauses of the contract would apply in order to find a compensation.
However under new Regulation, obligation of data processor to implement security measures is not anymore based on contract or legal act binding processor to controller. Under article 32 of GDPR there is a statutory obligation for both processor and controller to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.
Implications of this new approach:
As a result of this direct obligation, data processors would have less margins of appreciation for negotiating the terms and the conditions of this obligation. There is also a high risk of direct enforcement action by supervisory authority in the case of non-compliance with the obligation. Infringement of this statutory obligation would shall be subject to administrative fines up to 2% of global turnover[12]. While as mentioned above infringement of the contractual obligation under current Directive meet the terms and conditions of the contract.
The position taken by GDPR to impose directly a number of obligations on processors and not anymore indirectly through controller is comprehensible regarding the emerging conjunction between increasing number of companies (processors) whose main activity is data processing and increasing outsourcing approach taken by other companies (controllers) which their main activities are far from data processing and which would not have the necessary affordable technical expertise for doing such data processing but for the purposes related to their main activities they wish to do the processing by intermediary of one or more processors.
This new approach seems to be more promising in terms of security issues related to personal data processing regarding increasing autonomy of data processors in implementing and even in determining means of processing. Controller who is the sole subject of direct responsibility under current directive is defined as a person who determines purpose and means of processing. However, companies with a business model based on data processing have already determined and implemented their means of processing. It is not highly desirable and even affordable[13] for them to change it even slightly based on customer demand (controller). Therefore, in these cases it is not controller who determines means of processing. In fact, controller adhere to what is already determined as a means of processing. Thus direct obligation over data processors is considered a necessary approach as long as the technical processing done by processors can potentially make a risk, in terms of data protection, which cannot be mitigated indirectly by sole intermediary of controller.
[1] Under paragraph 7 of the same article controller “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
[2] Under Article 4 (8) of the GDPR processor “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
[3] Adopted on 14 April 2016 by the European parliament.
[4] Name and contact information of controller(s), processor(s) acting on behalf of, purpose of processing, data retention information, legal base of processing.
[5] Article 31 GDPR.
[6] Article 32 GDPR.
[7] Article 33 GDPR.
[8] When processing operations present certain specified risks.
[9] Article 37 (1) GDPR if certain thresholds are met: processing by a public authority (a), risky processing which require regular and systematic monitoring of data subject on a large scale (b), processing of large scale of sensitive data, criminal convictions and offences (c).
[10] Article 44-49 GDPR.
[11] Dir. 95/46, Art 17(2).
[12] Article 58(2) GDPR.
[13] That implies the importance of privacy by design and by default (Article 25 GDPR) and data protection impact assessment (Article 35 GDPR).