GDPR subcontractor: why regulate subcontracting?
Article 28 of the GDPR states that where processing is to be carried out on behalf of a controller, the controller only uses subcontractors who provide sufficient guarantees as to the implementation of appropriate technical and organizational measures, so that the processing meets the requirements of this Regulation and guarantees the protection of the rights of the data subject.
This article discusses several essential points, notably that on sufficient guarantees, but also protection of the rights of data subjects.
There is also the important qualification of co-processing: when two people, entities, services, or others jointly determine the purposes and means of processing personal data, they have the status of "joint managers" this processing, within the meaning of Article 26 of the GDPR. This concept must also be contractually regulated. Indeed, everyone's obligations may vary.
Each of the actors having to define its quality in the context of the processing of personal data concerned, the GDPR clauses are becoming more and more supported with variable consequences.
This article discusses several essential points, notably that on sufficient guarantees, but also protection of the rights of data subjects.
There is also the important qualification of co-processing: when two people, entities, services, or others jointly determine the purposes and means of processing personal data, they have the status of "joint managers" this processing, within the meaning of Article 26 of the GDPR. This concept must also be contractually regulated. Indeed, everyone's obligations may vary.
Each of the actors having to define its quality in the context of the processing of personal data concerned, the GDPR clauses are becoming more and more supported with variable consequences.
GDPR contractual clauses, a mandatory framework for relations between GDPR subcontractor and principal
These clauses are important, because they make it possible to frame the relationship between the actors and more particularly questions of responsibility.
You should know that these clauses must contain at least, and in written format, according to article 28 of the GDPR, the organization of collaboration for the exercise of personal rights and the different security clauses of article 29. The procedure when notifying for a data breach must also be regulated. Finally, data transfer clauses and audit clauses must appear.
Article to read: 11 actions to take for your GDPR compliance
We can identify several types of relationships, and for this research we will assume that the organization, whatever its role, is the one that writes the clauses. We'll call it "organism A".
HAS. Define the conditions of subcontracting
Organization A is responsible for processing, and its co-contractor is a GDPR subcontractor. That is to say, he acts on behalf and on the instructions of the data controller, in this case on behalf of organization A.
The challenge for organization A is to define the conditions of subcontracting, that is to say fulfill the obligations of applicable regulations, in particular the obligation to make a contract. This makes it possible to engage the GDPR subcontractor at the level defined by the organization. Particularly with regard to possible sub-subcontracting — when subcontractor 1 hires subcontractor 2.
When organization A is a GDPR subcontractor, the drafting of these clauses allows it to reduce the risk of qualification as joint data controller.
Indeed, the obligations differ. In addition, this allows organization A not to commit to more than it can, in terms of the services to be provided for example. A reclassification of organization A as data controller is however not excluded in the light of an "in concreto" analysis of the relationship between organization A and its principal in the context of data processing concerned.
Care must therefore be taken to ensure that within the framework of the relationship with the principal, organization A does not behave as co-data controller at any time, in order to faithfully reflect what has been contractualized with the principal.
B. Information of data subjects
Organization A is responsible for processing and the recipients are the data subjects. Thanks to these clauses, the data controller fulfills the obligations of the applicable regulations, in particular the obligation to inform the persons concerned.
Another scenario, organization A is still responsible for processing, but has an intermediary role with the people concerned. This is particularly the case when it is difficult or impossible to directly inform the people concerned. It is then a question of transferring this obligation to a co-contractor in conjunction with the people concerned, such as for example the employer.
Organization A is a GDPR subcontractor and its co-contractor is the data controller. These clauses will make it possible to specify in the documents enforceable against end users that organization A is not responsible for processing, but only the subcontractor, because it is not he who determines the purposes and means of the processing.
C. Exclude subcontracting
Organization A is responsible for processing and so is its co-contractor. The clauses making it possible to define that each party is responsible for its compliance with the applicable regulations make it possible to avoid the qualification of subcontractor.
D. Examples of limiting clauses
It becomes important for organizations to limit their responsibilities, within the regulatory limit. As an example, below is a contractual clause illustrating this:
"The Partner will take care not to submit, transmit or store Data that would require the organization to comply with specific laws or regulations other than those expressly provided for in the Contract.
Within the meaning of Law No. 2004-575 of June 21, 2004, for Confidence in the Digital Economy known as "LCEN", the organization is deemed to be the host of the Data and the Partner the publisher of the content and Data. Indeed, the organization does not carry out any prior verification of the Partner's Data, and cannot therefore be held responsible for the content or effects of this Data, without prejudice to compliance with the Data Protection Regulations in the event of Personal data.
This is to indicate that the organization does not control the personal data they process, it cannot therefore be held responsible for any failure due to the data controller.
We can also find this formulation:
"The Partner informed the organization that its Data could include Personal Data. The Partner undertakes, however, to only process and subcontract to the organization the Personal Data strictly necessary to meet its own needs and those of its users within the framework of the Services. The Partner acknowledges and accepts that it acts as a "Data Controller" within the meaning of the Data Protection Regulations, on its Personal Data, the organization being deemed a "Subcontractor" and acting as such under the instructions from the Partner.
Each of the actors having to define its quality in the context of the processing of personal data concerned, the GDPR clauses are becoming more and more supported with variable consequences.
The end of the contractual relationship
These clauses, which govern relations, can provide for the consequences in the event of termination of the contract between the parties, or even justify the termination of the contract in the event of non-compliance with them. It is therefore a subject of particular attention when negotiating a contract.
This end of relationship can be of two types, both because the contract is coming to an end, or during termination.
HAS. Term of contract
The contract ends because the service has ended: the data processing linked to it therefore no longer has any purpose.
The clauses must provide for the fate of the data at the end of the contract. This is first of all necessary to enable operational management of internal personal data policies. Without a "standardized" contractual commitment reflecting the internal personal data management policy, managing operations (and therefore "real" compliance) becomes an even more difficult task. The objective being for the subcontractor to limit, for example, the duration of data retention to avoid having to store "unnecessary" data, which, beyond the associated costs, relieves it of its obligations as a subcontractor regarding this data.
For example, due to the deletion of the data, he will no longer have to process any rights requests transmitted by his principal.
Obviously, it should be borne in mind that the law of the Union or the Member State concerned may impose a minimum retention period for this data.
B. Termination of the contract
If this is contractually provided for between the parties, non-compliance with contractual clauses may result in the end of the contract, in particular for termination.
Below is a termination clause illustrating this:
"In the event of non-compliance with these provisions, the Customer may automatically terminate this Contract, automatically, without penalties and without prior notice, without prejudice to the possibility of requesting compensation for the damage suffered. "
The insertion of such a clause is a real asset for the principal, who can release yourself from your obligations with your subcontractor in the event of non-compliance with contractual clauses relating to the GDPR.
Although compliance with the GDPR is obviously not an "option" for the subcontractor, a GDPR clause imposing obligations beyond this could considerably weaken the sustainability of its relationship with its principal. Thus, with such clauses, the principal will be able to use its clauses to "take out" a subcontractor free of charge in the event of non-compliance by the latter with the contractual stipulations or to take advantage of this failure to renegotiate in a manner drastically the financial conditions of the contract by threatening termination.
So we remain vigilant!?
