Documente Academic
Documente Profesional
Documente Cultură
Data Protection
Regulation
GUIDE FOR PROCESSORS
SEPTEMBER 2017 EDITION
Applicable from 25 May 2018 across the whole of the European Union, the General Data
Protection Regulation (GDPR) strengthens European residents' rights bearing on their
data and increases accountability on the part of all stakeholders processing such data
(controllers and processors), whether or not they are established in the European Union.
The Regulation lays down specific obligations that must be followed by processors, who
are likely to be held liable in the event of a breach.
This guide sets out to assist processors in implementing these new obligations.
Contents
Are you a processor in the meaning of the General Data Protection Regulation? ................................ 2
Are you subject to the General Data Protection Regulation? ................................................................ 4
What is the primary change introduced by the General Data Protection Regulation for processors? . 5
Today.................................................................................................................................................. 5
From 25 May 2018 ............................................................................................................................. 5
What are your obligations from 25 May 2018? ..................................................................................... 6
1. A transparency and traceability obligation................................................................................. 6
2. Consideration of the principles of data protection by design and by default ............................. 6
3. An obligation to guarantee the security of data processed ......................................................... 7
4. An assistance, alert and advice obligation .................................................................................. 7
Where should you start? ........................................................................................................................8
1. Check whether you have to designate a data protection officer .................................................8
2. Analyse and revise your contracts ..............................................................................................8
3. Draw up a record of processing activities ................................................................................... 9
If I use another processor, what are my obligations? .......................................................................... 10
Do the current contracts with my clients need to be amended? ......................................................... 10
What is my role in the event of a data breach? ..................................................................................... 11
What is my role with regard to the impact assessment? ...................................................................... 11
Am I able to benefit from the one-stop-shop mechanism? .................................................................. 11
What are my obligations if I am not established in the EU? ............................................................... 12
What are the risks if I do not comply with my obligations? ................................................................ 12
Example of sub-contracting contractual clauses ................................................................................. 13
1
General Data Protection Regulation – Guide for Processors – September 2017 edition
Insofar as they do not have access to or process personal data, software publishers and manufacturers
of equipment (such as clocking terminals, biometric equipment or medical equipment) are not
concerned.
NB:
• An organisation which is a processor is generally the controller for processing which it carries
out on its own behalf, rather than for its clients (managing its own staff for example).
• When an organisation determines the purposes and means of processing, it may not be
considered a processor: it shall be considered the controller of said processing (Article 28.10
of the GDPR).
Company A provides a marketing letter delivery service using the client data files of companies B and C.
Company A is a processor for companies B and C insofar as it processes the necessary client data for sending the letters on
behalf of and on instructions from companies B and C.
Companies B and C are their clients’ management controllers, including as regards the delivery of marketing letters.
Company A is also the controller regarding the management of staff it employs, and the management of its clients which
include companies B and C.
2
General Data Protection Regulation – Guide for Processors – September 2017 edition
Tool: to determine whether you are a processor or the controller, see the Opinion 1/2010 of the Article
29 Data Protection Working Party (WP29) of 16 February 2010, which sets out the bundle of
indicators to be used when analysing on a case-by-case basis:
• level of instructions given by the client to the service provider: what margin of manoeuvre
does the service provider have in delivering its service?
• extent of monitoring over the execution of the service: to what extent does the client
"supervise" the service?
• added-value provided by the service provider: does the service provider boast in-depth
expertise in the field?
• degree of transparency over use of a service provider: is the service provider's identity known
to the data subjects using the client's services?
Official text
3
General Data Protection Regulation – Guide for Processors – September 2017 edition
Official text
4
General Data Protection Regulation – Guide for Processors – September 2017 edition
Today:
The obligations of the French Data Protection Act (Loi Informatique et Libertés) are only
enforceable as regards the controller. Indeed, where a processor is used:
• the contract between said processor and the controller must indicate the processor's
obligations in terms of protecting data security and confidentiality and stipulate
that the former may only act on instructions from the latter;
• said processor must provide sufficient guarantees to ensure the implementation of the
security and confidentiality measures set out in Article 34 of the French Data Protection Act;
• this requirement does not release the controller from its obligation to ensure compliance with
such measures.
1 Recital 13 of the GDPR gives a reminder that adoption of "a Regulation is necessary to provide legal certainty and
transparency for economic operators (…), to provide natural persons in all Member States with the same level of
legally enforceable rights and obligations and responsibilities for controllers and processors".
5
General Data Protection Regulation – Guide for Processors – September 2017 edition
6
General Data Protection Regulation – Guide for Processors – September 2017 edition
o automatically and selectively clearing data from an active database at the end of a
certain period, or
o managing IT access rights and clearances on a "data-by-data" basis or at the request
of the data subjects (for the social networks for example).
7
General Data Protection Regulation – Guide for Processors – September 2017 edition
Over and above these compulsory cases, designation of a DPO is recommended as this way you will
have an expert tasked with the practical implementation and management of compliance with the
GDPR.
Examples
The guidelines on data protection officers of the WP29 adopted on 5 April 2017 provide two examples of when it is
compulsory for a processor to designate a DPO:
Example no.1: a small family business active in the distribution of household appliances in a single town uses the services
of a processor whose core activity is to provide website analytics services and assistance with targeted advertising and
marketing. The activities of the family business and its customers do not generate processing of data on a ‘large scale’,
considering the small number of customers and the relatively limited activities. However, the activities of the processor,
having many customers like this small enterprise, taken together, are carrying out large-scale processing. The processor
must therefore designate a DPO under Article 37(1)(b) of the GDPR. At the same time, the family business itself is not under
an obligation to designate a DPO.
Example no.2: a medium-size tile manufacturing company subcontracts its occupational health services to an external
processor, which has a large number of similar clients. The processor shall designate a DPO under Article 37(1)(c), provided
that the processing is on a large scale. However, the manufacturer is not necessarily under an obligation to designate a DPO.
The DPO designated by a processor also oversees activities carried out by the processor organisation when acting as a data
controller in its own right (e.g. HR, IT, logistics).
8
General Data Protection Regulation – Guide for Processors – September 2017 edition
• the type of personal data that you are processing on your client's behalf
• the categories of data subjects
• the obligations and rights of your client as the controller
• your obligations as the processor as set out in Article 28 of the GDPR
Clause examples
This guide gives an example of sub-contracting clauses pending the adoption of standard contractual
clauses in the meaning of Article 28.8 of the GDPR. These examples of clauses can be inserted into
your contracts. They must be tailored and specified according to the sub-contracting service
concerned. Please note that they do not constitute a subcontract in themselves.
Official text
NB
Please also note that you are considered to be the controller for operations you carry out on your own
data (for example for managing your staff or your clients) and, as such, two records must be
maintained: one for the processing operations with regard to which you are the controller and
another for the processing operations that you carry out as the processor, on your clients’ behalf.
Sample record
A sample record is shown in Step 2: map your personal data processing, in the online guide General
Data Protection Regulation: Getting ready in 6 steps
Official text
9
General Data Protection Regulation – Guide for Processors – September 2017 edition
The processor you recruit is subject to the same obligations as those stipulated in your
contract with your controller client. It must, in particular, provide sufficient guarantees to
implement appropriate technical and organisational measures in such a manner that the processing
meets the requirements of the GDPR.
Be aware!
If the processor you recruit does not comply with its obligations, you are fully liable as regards the
controller for this processor’s compliance with its obligations.
Official text
Articles 28.2 and 28.4 of the GDPR on a processor engaging another processor
Yes, all of the ongoing subcontracts will have to include the compulsory clauses as set
out in the GDPR, on 25 May 2018.
All processors are therefore advised to:
• anticipate this change in applicable legal framework by already incorporating, via an
amendment, the clauses in ongoing contracts with their clients, whilst providing
that these shall not come into force until 25 May 2018
• conduct, from this date, checks and/or audits to ensure that you are complying with your
obligations as a processor and to make the necessary adjustments.
Clause examples
This guide gives an example of sub-contracting clauses pending the adoption of standard contractual
clauses in the meaning of Article 28.8 of the GDPR. These examples of clauses can be inserted into
your contracts. They must be tailored and specified according to the sub-contracting service
concerned. Please note that they do not constitute a subcontract in themselves.
10
General Data Protection Regulation – Guide for Processors – September 2017 edition
Article 28.3 f) of the GDPR and WP29 guidelines on data protection impact assessment (p.13)
Articles 4.16, 56 and Recital 36 of the GDPR and WP29 Guidelines for identifying a controller or
processor’s lead supervisory authority (p. 9)
11
General Data Protection Regulation – Guide for Processors – September 2017 edition
12
General Data Protection Regulation – Guide for Processors – September 2017 edition
AND
[…], located in […] and represented by […]
(hereinafter, "the processor")
As part of their contractual relations, the parties shall undertake to comply with the applicable
regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 which is applicable from 25 May 2018
(hereinafter "the General Data Protection Regulation").
14
General Data Protection Regulation – Guide for Processors – September 2017 edition
15
General Data Protection Regulation – Guide for Processors – September 2017 edition
Possible option
Once the controller has agreed, the processor shall notify the competent supervisory
authority (the CNIL), in the name and on behalf of the controller, of the personal data
breaches without undue delay and, where feasible, not later than 72 hours after having
become aware of them, unless the breach in question is unlikely to result in a risk to the rights
and freedoms of natural persons.
The notification shall at least:
describe the nature of the personal data breach including where possible, the categories
and approximate number of data subjects concerned and the categories and
approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other
contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its possible
adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the
information may be provided in phases without undue further delay.
Once the controller has agreed, the processor shall communicate, in the name and on behalf
of the controller, the personal data breach to the data subject without undue delay where said
breach is likely to result in a high risk to the rights and freedoms of natural persons.
The communication to the data subject shall describe in clear and plain language the nature
of the personal data breach and at least
describe the nature of the personal data breach including where possible, the categories
and approximate number of data subjects concerned and the categories and
approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other
contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its possible
adverse effects.
10. Assistance lent by the processor to the controller regarding compliance with
its obligations
The processor assists the controller in carrying out data protection impact assessments.
The processor assists the controller with regard to prior consultation of the supervisory
authority.
16
General Data Protection Regulation – Guide for Processors – September 2017 edition
17
General Data Protection Regulation – Guide for Processors – September 2017 edition
18