Anna Jędrasiak
Data Processor – a quick reference guide
Entrusting the processing of personal data, processor assessment, risk of potential breaches and incident prevention – what should a data controller focus on when selecting and working with a processor?
Entrustment
Today, entrusting the processing of personal data to a processor is an everyday occurrence. Many business processes could not take place if such entrustment did not occur. However, data controllers often forget that their obligations do not end with the signing of a contract and the transfer of data.
According to Article 5(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)(hereinafter: RODO), it is the controller who is responsible for the processing of data in accordance with the applicable law and must also ensure that it can be “held accountable” for this obligation.
In contrast, according to Article 28 of the RODO, the controller may only entrust data processing to entities that provide “… sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and protects the rights of the data subjects.”
Assessment of the processor
Therefore, when signing a data entrustment agreement, the most important aspects of which are described in Article 28(3) RODO, the controller should not assume a priori that a given entity meets such guarantees. The signing of the contract should be preceded by an appropriate examination which will allow to answer the question – whether the entity to which we want to entrust the processing of personal data has actually implemented adequate measures to ensure the security of data processing.
As indicated by the European Data Protection Board (hereinafter: EDPS) guideline No. 7/2020, the assessment of the warranties provided by the processor is a kind of risk assessment and may take place through the disclosure of relevant documentation, e.g.:
- privacy policy;
- terms and conditions of service;
- register of processing activities; – documentation
- records management policy
- information security policy;
- external data protection audit reports or internationally recognised certifications such as ISO 27000 standards.
It is clear that such an assessment should not be performed for multiple processors at once. Each time, the controller must take into account the specific individual facts and, what data the entity will be processing, etc.
The EROD in the aforementioned guidance indicates that in the framework of this assessment, the controller should, in addition to the aforementioned documentation, also take into account:
- the expertise of the processor (e.g. technical knowledge of security measures and data breaches); the
- the processor’s reliability; the processor’s resources;
- the processor’s reputation in the market;
- compliance with an approved code of conduct or certification mechanism.
As emphasised by the EROD and followed by the Office for the Protection of Personal Data (hereinafter: the DPA), data processing is a process. Thus, a controller must not, after signing a processing contract, fail to perform audit and verification activities against the processor. Such activities should be performed at appropriate intervals. However, it is up to the controller, who assesses the risks involved in the processing, how often to undertake activities in relation to the processor and how to verify the processor’s activities and guarantees.
Breaches
It is also worth pointing out that in case of personal data breaches involving a processor, it is necessary to audit the processor, to develop with the processor, if appropriate, new conditions for data processing, new technical or organizational measures. The controller and the processor should especially in such circumstances work closely together.
Finally, if the processor does not provide sufficient guarantees for improvement, the controller should consider the justification for terminating the cooperation with them.
Summary
The remedial measures taken by the processor, or the changes or corrections recommended by the controller, should be reasonable and appropriate to the manner and nature of the breach that occurred.
The controller should also not assume that its recommendations have been implemented. The lack of oversight of such a process may, in the future, prove to be a major problem for the controller itself, as it is responsible for the data being processed.
In the context of violations, and thus the possible interest of the Office for the Protection of Personal Data (UODO), controllers should also bear in mind that the supervisory authority may require the controller to demonstrate the conclusion of the entrustment agreement and answer the question whether and how it checked the processor before signing the agreement, and finally, what further steps, if any, it took within the cooperation to ensure the security of the processing.
Failure to comply with the requirements indicated in the RODO, within the framework of the data entrustment, exposes the controller to financial penalties, adequate to the degree, nature and gravity of the breach.