Do you know that as a controller, you are responsible if you hire a processor who does not have adequate guarantees to prove that the processing you entrusted to him or her is carried out in accordance with the GDPR?
When dealing with business entities they take roles of the controllers and processors on a regular basis in their operations, regardless of the fact if they are companies, crafts, associations, or other organizations. In case when the above-mentioned business entities engage in such a relationship, they are obliged to regulate that relationship according to the requirements of the General Regulation. At the same time, the definition of the controller and processor plays a crucial role in the application of the General Regulation, as they determine who is responsible for compliance with the various regulations on data protection and the way in which data subjects can exercise their rights in practice.
As a reminder, let’s mention that the controller will be any entity that determines the purpose and means of processing, while the processor will be another entity engaged by the controller to process personal data on his or her behalf. However, when defining whether an entity is really our processor, it will be necessary to consider a larger number of elements in order to determine that fact properly.
Example of frequent processors:
- an external accounting service that calculates the salary
- a company that provides video surveillance services
- a company that provides physical protection services
- a company that provides hosting services
- a company that provides support for our IT systems
- marketing agencies to which we forward our client base, for example for sending marketing messages, various invitations, and the like
- the call centre we hired to provide customer support to our clients
- debt collection agencies that we hired based on business cooperation agreements and others.
In order for the relationship between the manager and the processor to be in accordance with the General Regulation, it should meet several requirements that the said regulation places on the controller and the processor. First, such a relationship must be governed by a contract or other legal act that should contain all the elements prescribed by the General Regulation, whether the provisions on the processing of personal data are an integral or separate part of that contract. Thus, in practice, after concluding the basic contract, the manager and processor most often sign a special contract on the processing of personal data or apply standard contractual clauses between the manager and the processor.
ACTIONS BEFORE THE SIGNING THE CONTRACT
The controller has the duty to hire “only processors who sufficiently guarantee the implementation of appropriate technical and organizational measures”, in such a way that the processing meets the requirements of the GDPR, including the security of the processing – and ensures the protection of the rights of the respondents.
Simply put, the controller will be responsible if he or she hires a processor who does not have sufficient guarantees for the security of processing and who does not have convincing evidence that he or she processes personal data in accordance with the requirements of the General Regulation.
Therefore, before signing a contract with the processor, the controller should:
- assess the executor’s compliance and
- such an assessment should be based on real grounds and documented by the controller.
Namely, the controller is responsible for assessing the sufficiency of the guarantees provided by the processor and must be able to prove that he has seriously considered all the elements prescribed by the General Regulation, as it is pointed out by the European Data Protection Board in its guidelines.
ASSESSMENT OF ADEQUACY OF GUARANTEES
In order for the controller to prove that he or she has considered all the necessary elements, this will often require the exchange of relevant documentation with the controller, such as, for example, the privacy protection policy, terms of service, records of processing activities, data management requirements, data security protection regulations, reports on external data protection audits, a recognized international certificate such as the ISO 27000 series and others.
The assessment carried out by the controller regarding the sufficiency of guarantees is a form of risk assessment that will largely depend on the type of processing entrusted to the processor. Namely, there is no exact list of documents or actions that the processor should present or prove, but the assessment should be carried out for each individual case separately, considering the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons. In such an assessment, the controller should take into account the professional knowledge of the processor (e.g. technical expertise regarding security measures and data breaches), his reliability and resources, and also the reputation of the processor on the market might be an important factor to consider, too.
However, does the controller always have to carry out comprehensive checks to determine the adequacy of the processor’s guarantees?
In situations where there is a lower risk for the processing of personal data, it will not always be necessary to insist on extensive guarantees or to carry out a deeper analysis and verification, but the processor will certainly always need to enclose certain guarantees that the controller can justifiably evaluate as sufficient.
PERMANENT OBLIGATION OF THE CONTROLLER
It is important to keep in mind that the controller’s obligation to engage only those processors who “sufficiently guarantee”, as stated in Article 28 paragraph 1 of the General Regulation, is a permanent obligation of the controller.
It does not end at the moment when the controller and the processor sign a contract or other legal act regulating the processing of personal data. Therefore, the controller should, at appropriate intervals, verify the guarantees of the processors, including audits and various verifications, as it is pointed out by the European Data Protection Board in its guidelines on controllers and processors.
Of course, the controller should document and be able to prove the assessment of sufficient guarantees, verifications, and audits of the processor and other.
More information about Feralis Center