1. New obligations on data processors – and new data processing contracts needed
As under the current directive, the data controller – the person or entity deciding on the purposes and methods of processing – takes primary responsibility for all processing activities. However, the new Regulation also requires controllers only to use processors that provide “sufficient guarantees” of their ability to meet the required technical and organizational measures for compliance. Meeting approved codes of conduct, certifications, or adherence to binding corporate rules can help to evidence this. The data controller clearly needs not to ignore any apparent risks with particular processors. For “high risk” operations, it could also be appropriate for controllers to carry out a data protection impact assessment before contracting with processors.
As today, a data processing contract (or some other legal act) will be required when appointing processors. The Regulation sets out a longer list of mandatory requirements for controller-processor contracts than under the directive, so we may need to expand or revise any that are expected remain in effect when the Regulation takes effect (or start to use an updated version from now on). Processors must agree to:
a) process personal data only on documented instructions from the controller
b) ensure that persons authorised to process personal data are subject to appropriate contractual or statutory obligations of confidentiality
c) take all required security measures
d) engage a sub-processor only with the authorisation of the controller and on the basis of a similar contract
e) assist the controller in responding to requests for exercise of data subjects’ rights of access, erasure etc.
f) assist the controller with management of any security breaches, data processing impact assessments, and consultations with regulatory authorities
g) at the option of the controller, delete or return to the controller all personal data at the end of the processing services
h) make available to the controller all information necessary to demonstrate compliance with the processor’s obligations.
While data controllers remain liable for processing that contravenes the new Regulation, processors may be liable for infringement of obligations specially relating to processors or of the controller’s lawful instructions. Where there has been an infringement, then it will be for the controller and/or processor to prove that they were not responsible. If multiple controller(s) and/or processor(s) are involved then they may be held jointly and severally liable for the entire damage; however, where one of them has paid the full amount of any compensation, then it will be entitled to claim an indemnity from others for the parts for which they – and not it – were responsible.
2. Data Protection Officers – who needs one?
Data protection officers will need to be appointed by all public bodies and many organisations (data controllers or data processors) whose core business consists of: (i) regular and systematic monitoring of data subjects; or (ii) processing of sensitive personal data or criminal records, in either case on a “large scale”.
For the private sector, these are vague criteria. We might know them when we see them, but in particular regarding “large scale”, we may be speculating until any rule of thumb emerges from supervisory authorities.
The DPO’s main tasks will be:
a) to inform and advise their employer/client on legal obligations regarding data protection
b) to monitor compliance with applicable data protection laws and privacy policies, including training and audits
c) to advise where requested on data protection impact assessments
d) to liaise with the supervisory authority (and be a contact point for data subjects).
Under the Regulation the officer will need to have “expert knowledge” of data protection law and practices (knowledge of IT is not officially a requirement), but need not be full-time employees and may work for multiple organisations on an outsourced basis. A group of companies can have a single DPO as long as they are “easily accessible” by each entity (which might also require some additional language abilities).
A key requirement is that the DPO must report to the highest level of management, be supported with resources in, and not penalised (or sacked for) carrying out their tasks.
As we know, as a general rule the Regulation abolishes notifications to the supervisory authorities. However, if we need a DPO, then their identity will have to be notified.
READ THIS NEXT: EU-US Data Transfers: Update