On 29 September 2017, the French Data Protection Authority (the CNIL) released a guide for data processors on implementing the obligations laid down in the GDPR. Unlike the draft guidance recently published by the UK Data Protection Authority (the ICO), ‘Contracts and liabilities between controllers and processors‘, the CNIL's guidance focuses just on processor obligations and is structured around FAQs. The guide is not overly detailed in terms of practical advice but does consolidate all the GDPR requirements for processors in a single document and provides a template for data processing clauses. The full text (in French) can be found here.
First, the CNIL explains the concept of data processor and the applicability of the GDPR to processors. The guide refers to the Article 29 Working Party opinion on the criteria which determine whether an entity is a processor or a controller. It also provides a list of examples of organisations that may be considered as processors (e.g. SaaS companies, IT and data hosting companies, marketing or communications agencies who have access to personal data etc.) and organisations that are excluded from the GDPR definition (e.g. software publishers or manufacturers of devices or materials – such as medical or biometric devices - with no access to their customers' data).
The guidance also addresses the main changes brought by the GDPR in respect of direct obligations imposed on processors:
- Transparency and traceability: the CNIL reiterates that processors are required to enter into a processing agreement with controllers, to keep a record of all their processing activities and to obtain the controller's prior written authorisation when using any subprocessors;
- Privacy by design and privacy by default: processors must take these principles into account at the initial design stages of a project as well as throughout the lifecycle of the processing. The CNIL gives a few practical examples of these concepts, such as the implementation of automated deletion processes, data minimization, selective and automatic purging of a database after a certain period of time, or management of access/authentication rights on request of the data subject;
- Obligation to alert, assist and advise the controller: processors have an obligation to notify the controller of any data breaches and if they consider that a controller's instruction is unlawful, they must assist controllers, to the extent possible, to respond to requests from data subjects who wish to exercise their rights, and otherwise comply with controller obligations under the GDPR;
- Other obligations: processors must have appropriate security measures in place, ensure that employees who have access to personal data are bound by confidentiality and must delete or return the data to the controller once the processing operation is complete.
To help processors navigate these obligations, the CNIL elaborates a three-step checklist:
- Assess whether a DPO must be appointed. The CNIL simply reiterates Article 37 of the GDPR and the Article 29 Working Party's guidelines on DPOs and also recommends designating a DPO as a best practise when this is not required.
- Analyse and review existing contracts to include the data processing clauses required under the GDPR. The CNIL provides template data processing clauses – largely inspired by Article 28 of the GDPR – to be adapted and inserted in processing agreements until standard clauses are adopted by the European Commission in accordance with Article 28.7 of the GDPR.
- Create a record of data processing activities that processors conduct when acting on behalf of a controller and also for their own purposes.
In addition, the guide provides some explanation regarding processors' obligations when appointing a subprocessor (obtained either by way of a general or specific authorization from the controller) and processors' liability in respect of helping the data controller to conduct data protection impact assessments. With respect to notifying data breaches to the data controller, the CNIL reminds processors that they have a legal obligation to inform their customers in case of breach affecting customer data, but also gives both parties the option to decide contractually whether the processor may directly notify the supervisory authority and the data subjects on behalf of and with the controller's consent. The guide also addresses the possibility of electing a lead supervisory authority if there is a cross-border data processing activity and the obligation to appoint a data representative if the processor is not established within the EU.
Finally, the CNIL provides a few examples of GDPR violations that would trigger administrative financial sanctions under the GDPR (such as acting outside the scope of or in contradiction with the instructions of the data controller or refusing to assist the data controller to comply with its obligations).
As regards the CNIL's template data processing clauses, they strictly follow the text of Article 28 of the GDPR and are meant and are provided as an example but must be adapted to concrete and bespoke situations.
The CNIL's guide is useful in that it consolidates all the GDPR requirements for processors into a single document and provides an example of template data processing clauses, pending the adoption by the European Commission of standard data processing clauses in accordance with article 28.8 of the GDPR, which hopefully will provide more clarity on this issue.
With many thanks to: Richard Lawne, Trainee Solicitor (UK) - Silicon Valley