Complying with GDPR Using a Data Processor - Key Obligations

HOW TO COMPLY WITH GDPR WHEN USING A DATA PROCESSOR 24 April 2018 www.dlapiper.com Summary; not for reliance 24 April 2018 0

Agenda Why it matters 1 Controller vs processor the distinction 2 Obligations of a processor 3 Transfers of personal data outside of the EEA 4 Useful resources 5 www.dlapiper.com Summary; not for reliance 24 April 2018 1

1 Why it matters

1. Why it matters "To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing" Recital 81, GDPR www.dlapiper.com Summary; not for reliance 24 April 2018 3

1. Why it matters New under GDPR: Wider definition of "personal data" to explicitly include (e.g.) ID numbers, location data and online identifiers means more processors likely to be processing personal data A written contract between controller and processor is now a general requirement Contract must contain terms covering a prescribed list of topics designed to ensure that the processing meets the standard of GDPR Processors have direct liability for certain provisions of GDPR Where a controller and processor are involved in the "same processing", and where they are liable for any damage for breach of GDPR, each will be liable for all of the damage (i.e. joint and several liability) unless processor is not responsible for breach www.dlapiper.com Summary; not for reliance 24 April 2018 4

1. Why it matters Need to be cognisant of the new requirements if: Controller You are appointing a processor Including a group company You are appointed as a processor Processor Including by a group company If you are appointing / appointed as a sub-processor Sub-Processor Including (by) a group company www.dlapiper.com Summary; not for reliance 24 April 2018 5

2 Controller vs processor the distinction

2. Controller vs processor the distinction But be careful; not every third party is a processor Controller Controller Processor Processor Sub-Processor Sub-Processor www.dlapiper.com Summary; not for reliance 24 April 2018 7

2. Controller vs processor the distinction GDPR differentiates between GDPR applies directly Controllers All requirements of GDPR apply to controllers. controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; In general, Controllers are responsible for processing by processors. Full range of sanctions and fines apply. GDPR applies directly and indirectly Reduced list of requirements of GDPR apply to processors. and, Unlike pre-GDPR law, processors are also exposed to sanctions and fines. Processors processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller In addition, processors must be bound by a contract with controller, including extensive drafting to principles mandated by GDPR. www.dlapiper.com Summary; not for reliance 24 April 2018 8

2. Controller vs processor the distinction Q: How do we determine whether an entity is a controller or a processor? Indicative factors Legal obligations Factual influence Terms of the contract Degree of actual control over essential elements "Room to manoeuvre" : Image given to data subjects Reasonable expectation of data subjects For each processing activity, we must look at who has control over the: Purposes; and Means, of processing www.dlapiper.com Summary; not for reliance 24 April 2018 9

2. Controller vs processor the distinction Examples from guidance: Cloud computing "Although the cloud provider provides a range of services and uses a great deal of its own technical expertise to do this, it is still only a data processor. A key consideration is that the conditions of the contract mean the cloud provider has no scope to use the data for any of its own purposes. In addition, the cloud provider does not collect any information itself." Processor www.dlapiper.com Summary; not for reliance 24 April 2018 10

2. Controller vs processor the distinction Examples from guidance: Certain specialist IT services "The vehicle-tracking company is a data controller in its own right. This is because it has sufficient freedom to use its expertise to decide which information to collect about cars (and their drivers) and how to analyse this. It is entirely in control of its own data collection the operation of the vehicle-tracking software is a trade secret and the hire company does not even know what information is collected. Although the hire company determines the overall purpose of the tracking (the recovery of its cars), the fact that the tracking company has such a degree of freedom to decide which information to collect and how, means it is a data controller in its own right. " Controller www.dlapiper.com Summary; not for reliance 24 April 2018 11

2. Controller vs processor the distinction Examples from guidance: Regulated professional services "A firm uses an accountant to do its books. When acting for his client, the accountant is a data controller in relation to the personal data in the accounts. This is because accountants and similar providers of professional services work under a range of professional obligations which oblige them to take responsibility for the personal data they process. For example if the accountant detects malpractice whilst doing the firm s accounts he may, depending on its nature, be required under his monitoring obligations to report the malpractice to the police or other authorities. In doing so an accountant would not be acting on the client s instructions but in accordance with its own professional obligations and therefore as a data controller in his own right." Controller www.dlapiper.com Summary; not for reliance 24 April 2018 12

2. Controller vs processor the distinction Each scenario will turn on its facts: Who determines the purpose of processing? De facto data controller Who determines the means of processing? Can be delegated to processor But substantial questions essential to the core of lawfulness of processing e.g. type of data, length of storage, access etc. = data controller Examples: IT Asset Disposal Processor? (As per ADISA Criteria) IT Forensics Controller? www.dlapiper.com Summary; not for reliance 24 April 2018 13

2. Controller vs processor the distinction Other cases "Mere conduit" - Services where personal data is carried but not processed Mainly mail delivery / courier services Difficult to interpret (e.g. is there a difference between "physical" and "logical" / electronic envelope?) often best to avoid Joint controllership Services where more than one party jointly establish purposes and means Mutual compliance with law obligations Needs "arrangement" to determine who is responsible for which part of GDPR compliance (Art 26). Co-operation on privacy notices for data subjects Be thoughtful about VARs Co-operation on data subject rights, enforcement etc. Mutual notification and co- operation re data breaches www.dlapiper.com Summary; not for reliance 24 April 2018 14

3 Obligations of a processor

3. Obligations of a processor Applicable where you are acting as a processor, or appointing a processor: Documented instructions (Art 28(3)(a)) Records of processing activity (Art. 30(2)) Confidentiality including of all persons authorised e.g. staff (Art 28(3)(b)) Notifying breaches to data controller (Art. 33) Security of processing (Art 28(3)(c)) Co-operation with supervisory authorities (Art. 31) Engaging sub-processors (Art 28(3)(d)) Contract Regulation Appointing a representative in the EU (Art. 27) Security of processing (Art. 32) Support controller in complying with various data subject rights (Art 28(3)(e)) Using sub-processors (Art. 28(2)) Support controller in complying with various operational rules (Art 28(3)(f)) Appointing a DPO (Art. 37) At end of processing, delete or return data (Art 28(3)(g)) Demonstrate compliance, including via audits (Art 28(3)(h)) Direct obligation on processor Required to be set out in contract with controller www.dlapiper.com Summary; not for reliance 24 April 2018 16

3. Obligations of a processor FAQ: What data subject rights does the processor need to help the controller comply with? www.dlapiper.com Summary; not for reliance 24 April 2018 17

3. Obligations of a processor FAQ: What audit rights to we need to seek / grant under (Art. 28(3)) Draft guidance: Under Article 28.3(h) your contract must provide that: your processor must provide you with all the information that is needed to show that that both of you have met the obligations of Article 28; your processor must submit and contribute to audits and inspections that you carry out, or another auditor appointed by you carries out; and your processor must tell you immediately if it thinks it has been given an instruction which doesn t comply with the GDPR, or related data protection law . www.dlapiper.com Summary; not for reliance 24 April 2018 18

3. Obligations of a processor FAQ: What is a notifiable personal data breach? (Art. 33) ... a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. www.dlapiper.com Summary; not for reliance 24 April 2018 19

3. Obligations of a processor FAQ: Do we need a Data Protection Officer (DPO?) (Art. 37) www.dlapiper.com Summary; not for reliance 24 April 2018 20

3. Obligations of a processor FAQ: Is it possible to limit liability for breach of GDPR as a processor? Nuanced legal question: Law of contract applies so may be appropriate to do so for Art 28(3) requirements (albeit can be difficult to work out exactly what losses are 'in-scope' of limit); but GDPR has own liability allocation process in respect of claims from data subjects (Article 82) www.dlapiper.com Summary; not for reliance 24 April 2018 21

3. Obligations of a processor Main contract Putting it together a common contract structure Topic Requirement Processor has direct responsibility to maintain security of processing Art. 32 Obligation to only use processors that provide sufficient guarantees to implement appropriate technical and organisation measures (applies to all processors) Art. 28(1) Security Measures Addendum Security Must be binding contract in place with the processor, setting out / containing: Art. 28(3) Subject-matter and duration of the processing Nature and purpose of the processing Type of personal data Categories of data subjects Obligations and rights of the controller Prescribed requirements (see next slide) Reminder of statutory obligations / additional procedural detail Data Protection Addendum (legal terms) Contract Description of processing Sub-processing is prohibited without the prior specific or general written consent of the controller Art. 28(2) List of approved sub-contractors Even then, there is an obligation to inform the controller of any changes, thereby allowing for any objections this is a direct obligation on processors Sub-Processing Where a sub-processor is permitted, "the same obligations" must be imposed on the sub-processor Art. 28(4) Form of notice of changes to sub-contractors The processor remains liable to the controller for the contractual performance of the sub-processor www.dlapiper.com Summary; not for reliance 24 April 2018 22

4 Transfers of personal data outside of the EEA

4. Transfer of personal data outside the EEA The GDPR regulates transfers of personal data outside the EEA. A transfer is a processing activity which involves either: (i) a transfer of personal data to; or (ii) an access of personal data from, a non-EEA third country. Transfer of Personal Data Accessing personal data from a third country Sending personal data to a third country Someone in a country outside the EEA accesses personal data that is stored within the EEA A transfer (by any means, whether electronic or physical) of personal data outside of the EEA Sending personal data by email Uploading to a file sharing website within the EU, within vendor's staff located in a third country logging in and downloading the personal data Sending personal data by postal mail Examples Uploading to a file sharing website in a third country Permitting remote access to your production environment within the EU which contains personal data to vendor staff located in a third country Routing or transmission of personal data through a territory will only constitute a transfer under the GDPR if it involves processing www.dlapiper.com Summary; not for reliance 24 April 2018 24

4. Transfer of personal data outside the EEA www.dlapiper.com Summary; not for reliance 24 April 2018 25

4. Transfer of personal data outside the EEA www.dlapiper.com Summary; not for reliance 24 April 2018 26

5 Useful resources

5. Useful resources DLA Piper's guide to the GDPR: https://www.dlapiper.com/en/uk/focus/eu-data-protection-regulation/home/ ICO Guidance (including links to draft GDPR contracts guidance): https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the- gdpr/ https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr- contracts-guidance-v1-for-consultation-september-2017.pdf Article 29 Working Party opinions/ guidance (website update in progress) http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 GDPR final text http://eur-lex.europa.eu/eli/reg/2016/679/oj Any Questions? www.dlapiper.com Summary; not for reliance 24 April 2018 28

www.dlapiper.com Summary; not for reliance 24 April 2018 29