Be careful who you entrust personal data to

2 February 2018

Enterprises being data controllers often disclose personal data to various suppliers who thus become data processors. The security of personal data being transferred and the data controller's compliance with GDPR provisions will depend on the service provider selection and the wording of personal data processing contracts. Enterprises may be liable to very severe regulatory sanctions for the failure to comply with the obligations regarding the processing (and transfer) of personal data.

Such a risk exists, for example, in a situation where a contract for HR or payroll services is signed with an outsourcing firm and where such a contract involves the transfer of personal data processing to that firm. According to GDPR, "processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Personal data are entrusted to the processor at the time the controller transfers those data to the processor, and this implies two significant obligations on the part of the controller (i.e. the transferring entity).

Obligations of data controller

The first, and the most controversial, obligation is the selection of processors who will ensure sufficient compliance with the GDPR requirements and will protect the rights of data subjects. The data controller is the entity responsible for assessing whether the chosen service provider has adopted the technological and organisational means necessary for this purpose.

How can the data controller check whether the existing or potential suppliers meet the above conditions?  In this respect, GDPR suggests in the first place that the controller or another auditor mandated by the controller should carry out "audits, including inspections". This solution may prove ineffective, especially if the enterprise being the data controller uses the services of many outsourcing firms.

Also the processor can take appropriate steps towards ensuring compliance by demonstrating that it observes the approved industry or professional code of conduct or by obtaining a relevant data processing compliance certificate. As of now, Polish law does not provide for any system of certificates that would confirm compliance with the requirements regarding the processing and protection of personal data. However, GDPR and the draft Personal Data Protection Act envisage a relevant certification procedure. Rödl & Partner is working with Cybercom Poland and the Polish Centre for Testing and Certification Quality to meet the challenges posed by the new certification regulations and to obtain a certification licence (read e.g. the articles at the links below http://www.rp.pl/W-kancelariach/171219779-Rodl--Partner-wspolpracuje-przy-certyfikacji-firm-w-zakresie-ochrony-danych-osobowych.html).

Until the new Personal Data Protection Act enters into force, data processors and controllers will have to apply temporary measures, such as, for example, presenting an opinion obtained from an independent expert to their business partners before contract signing or allowing their business partners to carry out data protection audits (all such measures should be regulated in a relevant contract). A good practice in this context should be the implementation of rules (internal procedures) applicable to the selection of key suppliers who could be verified in terms of compliance with the obligations regarding the protection and processing of personal data.

Contract for personal data processing

Hiring the processor to process personal data implies the obligation to sign a contract that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, and the rights and obligations of the controller. This is nothing new because the Personal Data Protection Act currently in force stipulates the obligation to sign a personal data processing contract. It does not regulate the content of the contract in such detail, though.

According to GDPR, that contract must stipulate, in particular, that the processor:

• processes the personal data only on documented instructions from the controller;
• ensures that persons authorised to process the personal data have committed themselves to confidentiality;
• takes all measures required to ensure the security of data processing;
• respects the conditions (specified in DGPR) for engaging another processor;
• insofar as this is possible, assists the controller by appropriate technical and organisational measures for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in GDPR (e.g. the right to be forgotten, the right of data portability);
• assists the controller in ensuring compliance with the obligations regarding the security of processing, notification and communication of a personal data breach, data protection impact assessment and prior consultation;
• at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
• makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in the relevant GDPR article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

The parties may agree on contractual penalties for the failure to properly fulfil the above obligations, or may provide for other measures to ensure the that those obligations are fulfilled. Currently, it is not a standard practice to introduce contractual clauses that would be similar to the scope covered by the relevant GDPR provisions.  Those issues will be regulated on a case-by-case basis, taking into account the entity's position on the market, the size of its business, and the industry in which it operates.

Standard contractual clauses and good practices

Noteworthy, the European Commission and the supervisory authority (which should ultimately be the President of Personal Data Protection Office) will be authorised to present standard contractual clauses which will surely be frequently used in draft personal data processing contracts. According to the current draft of the new Personal Data Protection Act, the Polish supervisory authority may issue codes of good practices setting out guidelines as to how to align business processes with GRPR requirements. This will surely help enterprises prepare for the GDPR regime, but on the condition that the code of good practices is issued reasonably in advance of 25 May 2018.

Enterprises which engage processors should take appropriate steps as soon as possible in order to avoid the situation in which their suppliers are not able to ensure compliance with the GDPR requirements.  Besides the risk of personal data breach, enterprises are also exposed to the risk of a regulatory fine amounting to the higher of up to EUR 10,000,000 or up to 2% of the enterprise's total worldwide turnover for the previous financial year. The same sanction may apply if the enterprise fails to sign a contract for the processing of personal data or signs such a contract in contravention of GDPR requirements. In such a case, the sanction may be imposed on both the controller and the processor.