Subcontractor compliance with the RGPD: 8 obligations to be met

Whether an entity is a SaaS software provider, a web application publisher, an integrator, a digital and IT service provider, or whether it uses such services, there is a good chance that it will be subject to the future General Data Protection Regulation ( GDPR), which will come into force on 25 May 2018, and that it will have to deal with issues relating to the outsourcing of personal data.

As a result, subcontractors will need to bring their activities into line with the new obligations of the GDPR, so as not to run the risk of being penalised by the supervisory authorities. But to do this, you still need to know what they are.

SUMMARY :

See all software General Data Protection Regulation (GDPR)

Preliminary operation: Identifying subcontracting relationships

In order to comply with the RGPD, it is necessary to identify precisely the subcontracting relationships for personal data and to classify the parties involved according to the role of each, data controller or subcontractor.

This is a crucial operation, as it will determine the obligations that an entity will have to comply with.

A processor is any person who processes personal data on behalf of another entity, the controller.

The processor differs from the latter in that it defines neither the purpose of the processing (what the data is processed for) nor the essential means of processing (the processes by which the data will mainly be processed).

As this distinction is made on a data-processing-by-data-processing basis, it is conceivable that the same entity, in its relationship with a commercial partner and in the event of multiple processing operations, could be the data controller for one operation, but a data processor for another.

With such a definition, it should be noted that the notion of processor in the sense of personal data law is a false friend of the notion of processor in the usual or commercial sense.

A processor in the commercial sense of the term may well be a data controller in the sense of data law, and vice versa.

It is therefore necessary to be particularly vigilant on this aspect and to approach this stage of compliance with an open mind.

Once an entity has clearly identified the purposes for which it is processing personal data, it will have to comply with 8 main obligations.

Obligation no. 1: comply with the form of subcontracting contracts

The RGPD requires the relationship between data controller and data processor to be strictly regulated and formalised in a written contract.

This contract must contain a number of mandatory clauses, including a clause authorising the controller to audit the way in which the processor processes the data on its behalf, and a clause organising access to the data by the processor's staff.

In order to comply with these new rules, processors should therefore update both their existing contracts and their model contracts for the future.

Obligation no. 2: choose your subcontractors

Under the RGPD, the processor is obliged to recruit another processor only with the prior written authorisation of the data controller.

This authorisation may be specific, for a particular second-level processor, or general, for any second-level processor that the processor may already have or recruit in the future.

In such cases, the contract between the processor and the second-level processor must provide at least the same level of data protection guarantees as the one concluded between the controller and the processor.

Here again, compliance by an entity that processes personal data will involve reviewing existing contracts with its partners and updating contractual models for the future.

Obligation no. 3: comply with the controller's instructions

The GDPR leaves very little room for manoeuvre to the entity processing personal data on behalf of a controller.

As a result, the processor will only be able to carry out processing insofar as it complies with the instructions given to it by the controller.

These instructions may be specified in the contract initially concluded between the processor and the controller or may be given subsequently by the controller.

However, this obligation does not mean that the processor must remain passive in its relationship with the controller.

They are obliged to inform the controller immediately if they believe that an instruction they have received is contrary to the RGPD or, more generally, to European Union or national law.

Obligation no. 4: keep a processing register

For processors employing more than 250 people, those regularly carrying out particularly risky processing or those processing sensitive data (health data, data relating to criminal convictions, etc.), the RGPD requires them to keep a register of their processing activities.

The purpose of this register is to enable the supervisory authorities (in France, the CNIL) to facilitate their audits. It must contain all the information needed to provide an overview of the way in which data is processed by a processor: on whose behalf the data is processed, what security measures have been put in place, what types of processing are carried out, and so on.

This is an important stage in compliance, as it sometimes requires a real internal investigation.

Obligation no. 5: maintain a proportionate level of security

The lack of security in the processing of personal data carried out by a processor on behalf of a data controller is one of the frequent grounds for sanctions by the CNIL.

This is why it is important to be particularly diligent on these issues and to ensure that the measures implemented by the processor to prevent data breaches are appropriate, as required by the RGPD.

Several criteria are used to determine whether these measures are appropriate. The main one is to take into account the level of risk generated by the processing for the people whose data is being processed.

However, and this is to be welcomed, compliance with the security obligations under the RGPD does not require the processor to spend its entire annual budget on security.

The level of expectation will therefore depend on the subcontractor's resources, whether human, material or technical.

Ensuring that the subcontractor is compliant in terms of data security means making sure that it is doing the best it can given what it has. This means carrying out a security audit to identify potential weaknesses and making the necessary corrections to remedy them.

If the entity's resources allow, the use of a specialist cybersecurity service provider is recommended.

Obligation no. 6: inform the data controller in the event of a personal data breach

In cybersecurity, it is customary to say that it is not so much a question of knowing if an entity will be the victim of a data breach, but rather of knowing when it will be.

A data breach can take many forms, such as the destruction, loss, alteration, unauthorised disclosure or unauthorised access of data.

Unfortunately, there is every chance that a personal data processor will experience a data breach at least once in its lifetime.

The GDPR places the vast majority of obligations relating to personal data breaches on the shoulders of the controller.

The processor, for its part, has only two obligations: firstly, to notify the controller as soon as possible if it suffers a breach of the data it is processing on its behalf, and secondly, to cooperate with the controller as soon as the latter requests it to do so.

As part of the subcontractor's compliance project, it is therefore useful to define in advance the procedures to be followed in the event of a data breach, to ensure that information circulates quickly and to be more responsive to the urgency of such situations.

Obligation no. 7: Appoint a Data Protection Officer (DPO)

When a subcontractor's activities involve processing a large amount of personal data or particularly sensitive data, the RGPD requires it to appoint a person to deal with all its data protection issues: the Data Protection Officer ( DPO ), who must report directly to the highest level of the subcontractor's management.

To this end, the RGPD allows the processor a certain amount of latitude in appointing its DPO. This may be a member of the processor's staff or a service provider if the DPO function is outsourced.

It is also possible for several entities, whether processors or data controllers, to pool their resources by appointing a joint DPO.

Once the DPO has been appointed, the subcontractor, in its relationship with the DPO, must ensure that the DPO has the means to carry out his duties, in other words that he is systematically involved in data protection issues, that he has sufficient resources, and that he can operate completely independently.

The appointment of the DPO0 is therefore an important step in ensuring compliance with data protection regulations, as it is the DPO0 who will firstly manage the project to bring the processor into compliance, and secondly ensure that compliance is maintained.

Obligation no. 8: ensure that data transfers to third countries are lawful

Many activities in the digital industry require personal data to be transferred from one country to another, whether between entities belonging to the same group of companies or as part of the provision of services.

In this respect, the RGPD requires us to be particularly scrupulous about the conditions under which these transfers take place.

A processor may only transfer data abroad in certain limited circumstances.

As a result, a processor may only transfer data abroad in certain limited circumstances: if the recipient of the data is located in the European Union or in a country that the European Commission has deemed to provide a sufficient level of data protection, if the entity receiving the data personally presents a certain number of guarantees (in particular through the adoption of binding corporate rules, adherence to a code of conduct approved by the competent authorities or adequate contractual organisation of the transfer).

In order to comply with the GDPR, processors must therefore identify the data transfers they carry out and reorganise them if they do not fall within the scope of the regulation.

See all software General Data Protection Regulation (GDPR)

Conclusion

Bringing a data processor's activities into line with the RGPD is no easy task. There are many obligations to comply with, some of which require real expertise.

But as business partners become increasingly demanding about compliance with data protection regulations, it is possible to see compliance not as a chore, but as an opportunity to gain a competitive advantage.