EDPB Opinion Provides Guidance on Controller-Processor Agreements Under GDPRJuly 15, 2019 – Alerts
The European Data Protection Board (EDPB) has issued an opinion on the standard contractual clauses proposed by the Denmark Data Protection Authority that contains important takeaways for drafting and negotiating of all Controller-Processor Article 28 data processing agreements.
Here are some key takeaways:
- It is not enough to just quote the language of Article 28, you need to explain how it will apply in practice.
- When referring to an Article 28 obligation, however, try to use the language of the General Data Protection Regulation (GDPR).
- You should address consequences and solutions for an event where a processor notifies a controller that instructions are in contravention of the law.
- When discussing a risk assessment, it may be helpful to enumerate in detail the elements to be considered, which are mentioned in Article 32 of GDPR. That includes, in particular, the nature, scope, context and purposes of the processing activity as well as the risk for the rights and freedoms of natural persons.
Use of Sub-Processors
- The list of sub-processors that are accepted by the data controller at the time of the agreement should be included as an exhibit to the agreement.
- Any conditions for a data controller to object to a sub-processor must allow the data controller to exercise its freedom of choice and remain in control of the data; this includes providing sufficient advance notice regarding the engagement of the sub-processor.
- Though not required by Article 28, the EDPB looks favorably on incorporating a clause naming the data controller as a third-party beneficiary in the event of a bankruptcy of the data processor – which would include:
- an obligation by the sub-processor to be liable to the data controller in the event of data processor's bankruptcy; and
- the ability for the data controller to directly instruct the sub-processor to return the data.
- When discussing the processor’s liability in the event of a breach by the sub-processor, it is important to add that this does not affect the rights of the data subjects under GDPR (in particular those foreseen in Articles 79 and 82 against the data controller and against the data processor, including the sub-processor).
- When speaking about third countries in the context of cross-border transfer, it is important to clarify that these are countries outside of the European Economic Area, not just outside the relevant member state.
- It should be made clear that it is the data controller that decides whether a transfer to a third country should be allowed or prohibited under the agreement.
- It is helpful to mention compliance with Chapter V of GDPR, which deals with cross-border transfers.
Data Subject Rights
- The Data Processing Agreement (DPA) should give detail on the manner in which the processor is required to provide assistance, not just a list of rights. It should set out steps to be taken by the data processor if the data processor directly receives a request from a data subject relating to the exercise of his/her rights. For example, the DPA must make clear, in such a case, whether the data processor is allowed to have any contact with the data subjects and how the processor needs to inform the controller when it comes to data subjects’ rights (e.g. forwarding the request to the controller within a specified time frame or other appropriate measures). The data controller could also instruct the data processor to answer data subjects’ requests according to specific instructions. Another option could be that the data processor would make the technical implementations instructed by the data controller with respect to data subject rights. These could be listed in an appendix to the DPA.
- The EDPB agrees with including a provision allowing data processors to notify data controllers, without undue delay, after becoming aware of a personal data breach and, where possible, within x hours.
- The EDPB prefers giving the data controller the option to require the return or the deletion of data after termination, and to allow the data controller to modify the option chosen at the time the contract is signed. It also recommends a section or appendix listing applicable laws that require storage for a certain amount of time.
Audit and Inspection
- The EDPB states that the same audit and inspection procedures should apply to both processors and sub-processors. This could prove challenging for data processors dealing with sub-processors that are tech giants and with which they do not have much bargaining power.
- The EDPB states that the audit report should be provided to the data controller following the audit and that it should be made clear that the controller can contest the scope, methodology and results of the inspection. The controller should also be able to request processors to take measures following the results of the inspection.
- The framework of inspections and/or audits should not be limited to the facilities of the processor or sub-processors.
- The data controller should have access to the places where processing is being carried out. This includes physical facilities as well as systems used for and related to the processing.
- If a paragraph specifying liability, governing law, jurisdiction or other terms is included, it cannot lead to any contradiction with the relevant provisions of the GDPR or undermine the level of protection offered by the GDPR or the contract.
- For greater flexibility, the EDPB recommends that there be a stand-alone provision that allows for termination of the DPA separate from the master agreement.
Exhibit on Nature of the Processing
- The exhibit should describe the purpose and the nature of the data processing, as well as the type of personal data processed, the categories of data subjects concerned and the duration of the processing, in the most detailed manner possible. In any circumstance, the types of personal data must be specified further than merely “personal data as defined in article 4(1)” or by stating which category (Article 6, 9 or 10) of personal data is subject to processing. The EDPB believes it should be clear that, in case of several processing activities, these elements must be completed for each.
Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance, contact Odia at [email protected] or 215.444.7313.