Subcontractor compliance with the RGPD: 8 obligations to meet

Whether an entity is a SaaS software provider, a web application editor, an integrator, a digital and IT service provider, or whether it uses such services, there's a good chance that it will be subject to the future General Data Protection Regulation that comes into force on May 25, 2018 (known as RGPD or GDPR in its English acronym) and that it will be confronted with issues of personal data subcontracting.

It will therefore be a matter for the processor to bring its activity into line with the new RGPD obligations that will soon be incumbent on it so as not to run the risk of being sanctioned by the supervisory authorities. But to do this, you still need to know what they are.

SUMMARY:

See all software General Data Protection Regulation (GDPR)

Preliminary operation: Identifying subcontracting relationships

Complying with the RGPD means having to precisely identify personal data subcontracting relationships and qualify the actors according to the role of each, controller or subcontractor.

This operation is crucial, as it will determine the obligations that an entity will have to comply with.

A processor is any person who processes personal data on behalf of another entity, the controller.

The subcontractor differs from the latter in that he defines neither the purpose of the processing (what the data are processed for) nor the essential means of processing (the processes by which the data will mainly be processed).

As this distinction is made on a data processing-by-data processing basis, it is conceivable that the same entity, in its relationship with a business partner and in the event of multiple processing operations, could be a data controller for one operation, but a data processor for another.

With such a definition, it should be noted that the notion of processor in the sense of personal data law is a false friend of the notion of processor in the usual or commercial sense.

A processor in the commercial sense of the term may well be a data controller in the sense of data law, and vice versa.

It is therefore necessary to be particularly vigilant in this respect, and to approach this stage of the compliance process with an uncritical eye.

Once an entity has clearly identified the purposes for which it is processing personal data, it will have to comply with 8 main obligations.

Obligation no. 1: respect the form of subcontracting contracts

The RGPD requires that the relationship between data controller and data processor be strictly framed and formalized in a written contract.

This contract must contain a certain number of mandatory references and clauses, including a clause authorizing the controller to audit the way in which the processor processes data on its behalf, or a clause organizing access to data by the processor's staff.

In order to comply with these new rules, subcontractors should therefore update both their existing contracts and their model contracts for the future.

Obligation no. 2: choose your subcontractors

Under the RGPD, the processor is required to recruit another processor himself only with the prior written authorization of the controller.

This authorization may be specific, for a particular second-level processor, or general, for any second-level processor that the processor may already have or recruit in the future.

In such cases, the contract between the processor and the second-level processor must provide for at least the same level of data protection guarantees as that between the controller and the processor.

Here again, compliance by an entity that processes personal data will involve reviewing existing contracts with its partners and updating contractual models for the future.

Obligation no. 3: comply with the controller's instructions

The RGPD leaves very little room for maneuver for the entity processing personal data on behalf of a controller.

Thus, the processor will only be able to implement processing insofar as it complies with the instructions given to it by the controller.

These instructions may be specified in the initial contract between the processor and the controller, or may be given subsequently by the controller.

However, this obligation does not mean that the processor must remain passive in its relationship with the controller.

Indeed, he is obliged to inform the controller immediately if he believes that an instruction he has received is contrary to the RGPD or, more generally, to European Union law or his national law.

Obligation no. 4: keep a processing register

For processors employing more than 250 people, those regularly implementing particularly risky processing or those processing sensitive data (health data, data relating to criminal convictions, etc.), the RGPD requires them to keep a register of their processing activities.

The purpose of this register is to enable the supervisory authorities, the CNIL for France, to facilitate its audits. It must therefore contain all the information essential for gaining an overview of the way in which data is processed at a processor: on whose behalf data is processed, what security measures are in place, what types of processing are implemented, etc.

This is an important step in the compliance process, as it sometimes requires genuine internal investigation.

Obligation no. 5: maintain a proportionate level of security

The lack of security in personal data processing carried out by a subcontractor on behalf of a data controller is one of the most frequent grounds for sanction by the CNIL.

That's why it's important to be particularly diligent on these issues and to make sure that the measures implemented by the processor to prevent data breaches are appropriate, as required by the RGPD.

Several criteria are used to determine the suitability of these measures. These mainly involve taking into account the level of risk generated by the processing for the people whose data is being processed.

However, and this is to be welcomed, compliance with security obligations under the RGPD does not require the processor to spend its entire annual budget on security either.

The level of quality expected will depend on the subcontractor's human, material and technical resources.

Ensuring data security compliance for subcontractors means making sure that they are doing the best they can, given what they have. This means carrying out a security audit to identify potential vulnerabilities, and making the necessary corrections to remedy them.

If the entity's resources allow, the use of a specialized cybersecurity service provider is recommended.

Obligation no. 6: inform the data controller in the event of personal data breaches

In cybersecurity, it is customary to say that it is not so much a question of knowing if an entity will suffer a data breach, but rather of knowing when data breach.

A data breach can take many forms, such as destruction, loss, alteration, unauthorized disclosure or unauthorized access to data.

It is therefore a safe bet, unfortunately, that a personal data processor will experience a data breach at least once in its existence.

The GDPR places the vast majority of obligations relating to personal data breaches on the shoulders of the data controller.

As for the processor, it has only two obligations: firstly, to notify the controller as soon as possible if it suffers a breach of the data it processes on its behalf, and secondly, to cooperate with the controller as soon as the latter requests it to do so.

As part of the subcontractor's compliance project, it is therefore useful to define in advance the procedures to be followed in the event of a data breach, to ensure that information circulates rapidly and to be more responsive to the urgency of such situations.

Obligation no. 7: appoint a Data Protection Officer (DPO)

When a subcontractor's activities involve processing a large amount of personal data or particularly sensitive data, the RGPD requires it to appoint a person to deal with all its data protection issues: the Data Protection Officer ( DPO ), who will have to report directly to the highest level of the subcontractor's management.

To this end, the RGPD leaves the processor some latitude in appointing its DPO. It may thus be a member of the processor's staff or a service provider if it is chosen to outsource the DPO function.

It is also possible for several entities, whether subcontractors or data controllers, to pool their resources by appointing a common DPO.

Once the DPO has been appointed, the subcontractor, in its relationship with him/her, must ensure that he/she has the means to carry out his/her duties, in other words that he/she is systematically involved in data protection issues, that he/she has sufficient resources, or that he/she can operate in complete independence.

The appointment of the DP0 is therefore an important step in ensuring compliance with data protection regulations, since it is the DP0 who will firstly manage the project to bring the subcontractor into compliance, and then ensure that compliance is maintained.

Obligation no. 8: ensure the lawfulness of data transfers to third countries

Many activities in the digital industry require personal data to be transferred from one country to another, whether between entities belonging to the same group of companies or as part of the provision of services.

On this aspect, the RGPD requires particular scrupulousness regarding the conditions under which these transfers take place.

A subcontractor may only transfer data abroad in certain limited circumstances.

Thus, a processor may only transfer data abroad in certain limited circumstances: if the recipient of the data is located in the European Union or in a country that the European Commission has deemed to provide a sufficient level of data protection, if the entity receiving the data personally presents a certain number of guarantees (notably through the adoption of binding corporate rules, adherence to a code of conduct approved by the competent authorities or adequate contractual organization of the transfer).

The subcontractor's compliance with the RGPD will therefore have to involve identifying the data transfers it implements and reorganizing them if they do not fall within the cases provided for by the regulation.

See all software General Data Protection Regulation (GDPR)

Conclusion

Bringing a processor's activities into compliance with the RGPD is no mean feat. The obligations to be met are numerous and can sometimes require real expertise.

But once business partners become increasingly demanding about compliance with data protection regulations, it's possible to see compliance not as a chore, but as an opportunity to gain a competitive edge.