Since the entry into force of the GDPR, new obligations have been imposed on both data processors and data controllers.
The controls carried out by the CNIL, within the framework of priority control themes for 2019, have revealed a real awareness of the new obligations weighing on subcontractors with in particular the development by the subcontractors themselves of model contractual clauses, annexed to the subcontracting contract (also referred to as service provision contract).
This advice is a continuation of the subcontractor guide published by the CNIL in September 2017. Work is underway at the level of the European Data Protection Committee on the concepts of controller and subcontractor, which will make it possible to clarify and complete these first reminders.
1/ Determine the status of the actors involved
When an organization processes personal data on behalf of a data controller, it is considered to be its subcontractor within the meaning of the GDPR. This is also the case if it provides a “turnkey” solution, if this organization actually processes personal data (and is not, for example, only a software publisher).
Conversely, if the subcontractor also processes the data resulting from this processing for its own account (for example, for customer relationship management or accounting purposes), it will be considered as data controller for this. specific treatment.
The client and the service provider each define their role on the basis of the applicable regulations (articles 4.7, 4.8 and 28.10 of the GDPR), by carrying out the analysis together, in order to then be able to agree on their respective obligations. .
This also applies to cases of subcontracting involving only one-off access to personal data (such as maintenance operations). Please note, this does not mean that the parties can together “choose” the qualification that suits them.
This clarification is essential to ensure legal certainty for both parties to the contract.
2 / Establish a clear contract
The controller and the subcontractor must enter into a contract including several mandatory information listed in article 28.3 of the GDPR. This should allow the parties:
- organize their relationships and their respective obligations with regard to the protection of personal data;
- integrate all of the information listed in article 28.3 of the GDPR, adapting them to their situation, and implement the obligations thus defined.
The following clauses constitute particular points of vigilance.
AT/ Define and supervise the treatment
The contract must clearly define the object, duration, nature and purpose of the processing, as well as the categories of personal data and the categories of data subjects. It is this definition which sets the framework of the processing for the subcontractor. In practice, the object of the processing will most often correspond to the activity of the subcontractor (for example, e-mail routing, data hosting, maintenance or support services).
Any processing operation not provided for in the contract should, in principle, be subject to prior renegotiation between the parties or at least written instructions from the controller.
B / Specify the conditions under which the subcontractor may himself use a subcontractor
The subcontractor can only recruit another subcontractor with the written authorization of the data controller (article 28 of the GDPR).
This authorization may be given to the subcontractor on a case-by-case basis, for each new subcontractor, or be general in scope. The CNIL recommends specifying in the contract which of these two authorization methods is chosen by the parties.
If the authorization is general in scope, the processor must inform the data controller of the list of its subsequent processors, as well as of any addition or replacement in this list, in order to allow it to object to it. he wishes it. In this case, the CNIL recommends entering into contractual arrangements for informing the principal and, possibly, the criteria for choosing these subcontractors.
The subcontractor must keep an up-to-date list of the subcontractors he uses in his register.
3 / Document the subcontracting activity
The data controller must ensure that his subcontractor complies with the GDPR. To do this, the contract must imperatively include a clause according to which the subcontractor makes available to the principal all the information necessary to demonstrate compliance with the obligations provided for in article 28 of the GDPR and to allow an audit by the data controller (or another auditor appointed by him).
In addition to concluding a subcontracting contract, the subcontractor must also:
- ensure that the instructions issued by the data controller are formalized in writing and record them in order to be able to demonstrate that they are acting on the instructions of the data controller;
- keep a register of processing activities carried out on behalf of the controller (article 30.2 of the GDPR);
- make available to the data controller all the information necessary to demonstrate compliance with his obligations and to allow audits to be carried out.
4 / Offer tools that respect personal data
The subcontractor must offer sufficient guarantees to meet the requirements of the GDPR (article 28.1 of the GDPR). It must offer solutions and tools that respect personal data.
It also has a role of assistance and advice with regard to the data controller. It must alert the data controller if it considers that an instruction it receives constitutes a violation of the applicable regulations regarding personal data.
For his part, the data controller must ensure that he uses services that include functionalities and technical tools that will allow him to ensure compliance.
The following features can help the data controller to ensure compliance:
- an interface for collecting consent, in the event that the processing of personal data carried out by the data controller requires the consent of the end user;
- an automatic unsubscribe link, when the processing of personal data is based on the user's consent, in order to allow him to withdraw this consent at any time;
- an interface and an information model for people;
- an automatic purging system for data whose retention period has expired.
5 / Help the data controller to respond to requests for the exercise of personal rights
The subcontractor must help the principal in processing requests to exercise the rights he receives (access, rectification, erasure, limitation, portability) in accordance with article 28.3.e) of the GDPR. This assistance is all the more essential as the subcontractor is sometimes the best able to ensure the technical implementation of the follow-up to requests for the exercise of rights.
It is therefore important to organize, from the conclusion of the subcontracting contract, the terms of this assistance and to ensure that the solution provided by the subcontractor incorporates functionalities allowing these requests to be answered easily and quickly.
It is possible to set up an interface for exercising individual rights, with a system for monitoring and automatically distributing requests for exercising rights according to their purpose.
This organization is all the more recommended as action must be given by the data controller to requests from persons exercising their rights as soon as possible, and in any event within one month of receipt. demand.
6 / Guarantee the security of the data collected
The data controller must call on a subcontractor who offers sufficient guarantees in terms of security. The subcontractor must ensure a sufficient level of security with regard to the nature of the data collected for the controller (article 32 of the GDPR).
In practice, the subcontractor plays a fundamental role insofar as, very often:
- it will ensure the effective implementation of the processing of personal data;
- it has the know-how and technical mastery of the marketed solution.
In the event of a data breach, the subcontractor must also help the data controller to fulfill his obligations to notify the CNIL and to communicate to the person concerned where applicable.
It is recommended :
- require the service provider to communicate its information systems security policy;
- ensure and document the effectiveness of the guarantees offered by the subcontractor in terms of data protection.
For example, the parties can implement the following means (by contractually supervising them if necessary): safety audits, visit of installations, certifications of the organization, certification of the skills of the DPO.
Both the data controller and the processor can impose a contractual obligation of confidentiality on their employees and ensure that they are aware of the main principles of data protection.
It is also recommended that the controller and the processor impose a contractual obligation of confidentiality on their employees and ensure that they are aware of the main principles of data protection.
Finally, it is necessary to limit access to only those authorized by reason of their functions, and by distinguishing between the different operations that can be carried out on the data (consultation, modification, deletion, export, etc.).
> Recommendations for companies considering subscribing to cloud computing services
> Subcontractor guide
Virginie Gastine Menou
RISKS AND YOU