Any e-commerce business that is subject to the EU General Data Protection Regulation (GDPR) as a ‘controller’ will need to have in place an appropriate contract with any other controller with which it jointly shares data if that controller is outside the European Union. More importantly, any controller that is subject to the GDPR will need to have in place an appropriate data processing agreement with any third party that it shares data with where that third party is a ‘processor’ as defined under the GDPR.
The GDPR applies to both controllers and processors that are established in the European Union (eg, have EU legal entities) but also to any controller and processor not located in the European Union, where the processing activities are related to either the offering of goods or services to data subjects in the European Union (irrespective of whether a payment is required) or the monitoring of the behaviour of individuals insofar as such behaviour takes place within the European Union.
Many processors are offering hosted or cloud services that are not located in the European Union but which clearly cause the processor to be caught by the GDPR. Controllers or processors not established in the European Union, but where they are caught by the GDPR, must, subject to some exemptions, designate in writing a representative. That representative must be established in a member state where the data subjects whose data is being processed by the controller or processor are located (or where most of them are located).
The appointment of a representative means that all data protection issues from data subjects or data protection authorities will be addressed to that representative, but the appointment of the representative does not affect the responsibility and liability of the controller or the processor under the GDPR.
The GDPR is quite specific about the duties of the controller and the processor and indeed article 28(3) of the GDPR stipulates that there must be a contract in writing between the controller and processor that clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data, any particular special categories of data and the obligations and rights of both parties.
Failure to have in place a suitable data processing agreement is a breach of the law under the GDPR and therefore controllers should be carrying out an audit of their existing contracts with processors to establish whether those contracts already comply with the GDPR and, in addition, putting in place due diligence and procurement requirements in respect of contracts that are going to be entered into to which the GDPR will apply.
Articles 28 to 36 set out issues that must be addressed in the data protection agreement, which include the following:
- the processor must have adequate information security in place;
- the processor must not use sub-processors without the consent of the controller;
- the processor must cooperate with the relevant data protection authorities in the event of an inquiry;
- the processor must report data breaches to the controller without delay;
- the processor may need to appoint a mandatory data protection officer;
- the processor must keep records of all processing activities;
- the processor must comply with EU trans-border data-transfer rules;
- the processor must help the controller to comply with data subject rights;
- the processor must assist the data controller in managing the consequences of data breaches;
- the processor must delete or return all personal data at the end of the contract at the choice of the controller; and
- the processor must inform the controller if the processing instructions infringe the GDPR.
The urgent action for controllers right now is to ensure that in respect of data processing agreements:
- there are documented instructions;
- there is evidence of due diligence by the controller over the suitability of the processor in respect of the types of personal data being processed;
- there are suitable confidentiality clauses in the agreement;
- the processor has adequate information security in place;
- the contract manages the downline use of sub-processors.
- the contract puts in place measures for the processor to help the controller comply with data subject rights;
- there are mechanisms to assist in cooperation with the controller and the relevant data protection authorities;
- there are processes in place to deal with data incidents and data breach notifications; and
- there are processes in place to deal with the destruction or return of personal data at the end of the agreement.
In addition to those needs, processors should anticipate that controllers will want to revisit not only the mandatory terms under the GDPR, but also the issues around warranties and indemnities as well as the question of suitable insurance.
Since controllers and processors are equally bound to comply with the GDPR, in relation to international data transfers, there will need to be in place suitable solutions in relation to personal data being transferred from the European Union or more correctly the European Economic Area (EEA) to other jurisdictions.
In relation to international data transfers, the Privacy Shield is an approved solution to the extent that personal data is going from the EEA to the United States, but where data is being transferred across many borders other solutions such as the European Commission approved standard contractual clauses or binding corporate rules may be more appropriate.
While there are also a number of jurisdictions that have been deemed ‘approved’ jurisdictions by the European Union (such as Argentina, Canada and Israel), there is considerable uncertainty as to the best solution to use given that the Privacy Shield is under regular review by the European Commission as to its robustness as a data transfer solution. Equally, the standard contractual clauses are currently under review in the European Court of Justice and, in addition, the European Commission recently announced that it is reviewing all of the countries that have been deemed ‘adequate’ in the past to ensure that their laws are still fit for purpose in terms of the adequate protection of the rights of individuals.
All of the above raises the bar in relation to the pressures on both the controller and its processor in relation to any form of data processing, whether cloud-based or otherwise.
Controllers should be putting in place a number of due diligence activities in respect of the processors that they use, which can be summarised as data protection audit, documentation of data processing activities and obviously review.
Data protection audit or assessments via a controller of a processor might include the following:
- Do they process personal data or special categories of data (eg, criminal records, children’s data and health data)?
- What are the data flows?
- What are the processor’s information security policies and procedures?
- Does the processor have a history of breaches (notified or not)?
- Has the processor ever been audited or investigated by a data protection authority (does the data processor have a data protection officer)?
Documented data processing activities should address:
- data processing mapping for both intragroup and third-party processing;
- whether the terms and conditions of the processor in any way claim ownership of personal data received from the controller;
- how data retention and data destruction practices are managed; and
- how sub-processors are contractually managed.
Review of policies and procedures might require the data processor to produce:
- data incident response policy and procedures;
- data-sharing policy and procedures;
- standard operating procedures for vetting of staff;
- information security practices;
- cyber-risk assessment and compliance; and
- evidence of training.
Prudent processors must anticipate that their customers as controllers will carry out due diligence and seek to impose new contractual terms and therefore processors should immediately:
- carry out a GDPR compliance assessment;
- rewrite their terms of business as appropriate;
- audit their sub-processors and the contractual terms with them;
- review their insurance cover;
- address data transfer solutions;
- assess their policies and procedures;
- decide whether a mandatory data protection officer is necessary;
- put in place staff training on policies and procedures; and
- carry out a genuine assessment as to whether they are a mere processor or are actually a joint data controller with their customers.