On September 29, 2017, the French data protection authority (the CNIL) published practical guidance on General Data Protection Regulation (“GDPR”) requirements intended for data processors. The objective is to guide them on how to comply with their new obligations.
Under the GDPR, data processors have new responsibilities and liabilities in their own right, and data processors may now be liable to pay damages or be subject to fines or other penalties for non-compliance with the GDPR.
The CNIL’s guide explains in a Q&A format the core requirements that all data processors will need to have in place by May 25, 2018.
- As a preliminary question, the CNIL clarifies the notion of data processor, providing a few practical examples and referring to the Working Party 29 (“WP29”) Opinion 1/2010 on the criteria which allow to determine whether an entity acts as a “controller” or a “processor”, as well as the scope of applicability of the GDPR to data processors based on Article 3 of the GDPR.
- Then, the CNIL details the new direct obligations imposed on data processors, consisting of:
- An obligation of transparency and traceability (an obligation to enter into a contract with the data controller, to obtain the data controller’s authorization to sub-process, to maintain a record of activities, etc. Among others, the CNIL recommends to make available all the information necessary to demonstrate compliance notably by referring to CNIL standards for privacy seal related to audit procedures);
- The obligation to take into account the principles of privacy by design and privacy by default with respect to the manner the personal data are processed (allowing data minimization, privacy settings etc.);
- The obligation to ensure the security of the personal data processed (an obligation to ensure that persons authorized to process personal data are bound by confidentiality, to notify any personal data breach to the data controller, etc.); and
- An obligation to assist, alert and advise (an obligation to inform the data controller if an instruction is unlawful, to assist the data controller for the handling of data subjects’ access requests, etc.).
3. The CNIL recommends for data processors to take the following three steps:
i) Assess whether a data protection officer (“DPO”) must be appointed, recommending however to appoint a DPO even if not mandatory and referring for further guidance to the WP29 opinion on the DPO of April 5th, 2017;
ii) Analyse and review the existing contracts to make them compliant with Article 28 of GDPR (examples of clauses to be adapted are proposed by the guide); and
iii) Prepare a record of processing activities.
4. The guide provides further explanations regarding the data processor’s obligations if it uses a sub-processor. It recommends to adapt its existing contracts with its clients by anticipating the application of the GDPR and providing its effective application on May 25, 2018; it reminds the data processor’s role in case of personal data breach and with respect to privacy impact assessments; it informs on the possibility for the data processor to benefit from the one-stop-shop mechanism depending its organization in EU and its obligations if it is established outside the European Union, as well as the risks applicable to data processors in case of non-compliance.
5. The CNIL provides practical examples of situations where a data processor could face important administrative financial sanctions (up to 2% or 4% of the worldwide turnover):
- If the data processor acts outside the scope of or in contradiction with the instructions of the data controller;
- If it does not help the data controller to comply with its obligations or if it does not provide the data controllers with all the information necessary to demonstrate compliance with the GDPR or if it does not inform the data controller that an instruction is unlawful;
- If it sub-processes without the data controller’s authorization or to a sub-processer which does not offer sufficient guarantees;
- If the data processor does not appoint a data protection officer when it is required;
- If it does not maintain a record of the processing activities carried out on behalf of the data controller.
6. Finally, the CNIL provides template data processing clauses to be inserted in service agreements (pending the adoption of standard contractual clauses by the European Commission – please note that there is no certainty whether and when these clauses will be published), emphasizing that such clauses must be adapted to the processing activities concerned.
Such template data processing clauses include both the information required under Article 28 of the GDPR (including various wording options), as well as some additional “gold plating” clauses (although not strictly required by the GDPR, such clauses are useful to remind data processors of their new and direct responsibilities).
The template includes the following provisions : (i) Purpose, (ii) Description of the processing carried out by the data processor, (iii) Duration of the contract, (iv) Obligations of the data processor vis-à-vis the data controller with different possible options depending on the sub-processing conditions, (v) Processing of the personal data for the sole purpose(s) of the contract, (vi) Processing of the personal data in accordance with the data controller’s instructions, (vii) Confidentiality of the personal data, (viii) Obligations regarding the personnel of the data processor, (ix) Privacy by design and privacy by default, (x) Subprocessing, (xi) Data subject information, (xii) Data subject rights, (xiii) Notification in case of personal data breach, (xiv) Assistance, (xv) Security, (xvi) Deletion or return of the personal data, (xvii) Data protection officer, (xviii) Record of processing activities, (xix) Documentation, and (xx) Obligations of the data controller vis-à-vis the data processor.
While the CNIL guidance presents the advantage of compiling in one document all of the requirements applicable to data processors under the GDPR and of providing in general terms the requirements to apply, it does not sufficiently respond to the market questions on the level of details expected in the contract with processors, which are currently an important source of negotiation . It will therefore be interesting to see other supervisory authorities’ guidelines (see for example John McKinlay and Linzi Penman’s analysis of the ICO GDPR Guidance on Contracts and liabilities between controllers and processors). It is likely the CNIL will update its guide and include best practice recommendations once it has received feedback from professionals.