Keypoint: Entities that use Article 28 data processing agreements should closely review the EDBP’s draft guidelines and modify their data processing agreement as necessary.
In September, the European Data Protection Board (EDPB) adopted Guidelines 7/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines, which are open for public consultation until October 19, 2020, address three topics – the distinctions between controllers and processors, the relationship between controllers and processors, and the consequences of joint controllership.
Although the other topics bear close consideration, the Guidelines’ analysis of the relationship between controller and processors – in particular, its discussion of Article 28 data processing agreements (DPAs) – should be closely examined by entities using DPAs. This is particularly true given the intense focus on DPAs in the context of international data transfers post Schrems II.
In the below analysis, we first provide a brief background on Article 28 and then discuss its requirements in further detail in the context of the EDPB’s guidance. In summary, the EDBP’s Guidelines require entities to conduct a thorough and considered analysis of these relationships and not simply use boilerplate DPAs.
Background on Article 28
Article 28 establishes the requirements for the processing of personal data by processors. For example, controllers are required to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures” to ensure that the processing satisfies GDPR’s requirements and protects the rights of data subjects. Processors also cannot engage sub-processors without the controller’s specific or general written authorization.
Further, the processing must be done pursuant to a contract or other legal act under Union or Member state law. As discussed in detail below, the contract must cover at least eight topics, including ensuring that the processing is carried out only on documented instructions from the controller and that the processor will allow for and contribute to audits to demonstrate compliance with GDPR.
- Choice of Processor (Article 28(1))
As a starting point, the Guidelines emphasize that a controller has an affirmative duty under Article 28(1) to vet processors and “should be able to prove that it has taken all of the elements provided in the GDPR into serious legal consideration.” This will often “require an exchange of relevant documentation” such as privacy policies, terms of service, records of processing activities, records management policies, information security policies, reports of external audits and any recognized certifications such as ISO 27000 series.
The scope of this case-by-case risk assessment should depend on the nature, scope, context and purposes of the processing and should consider the processor’s expert knowledge, reliability and resources as well as its reputation.
- Data Processing Agreements (Article 28(3))
The Guidelines reinforce that the failure of a controller and processor to enter into a written contract “is an infringement of the GDPR” and that “[b]oth the controller and processor are responsible for ensuring that there is a contract or other legal act to govern the processing.”
The parties can negotiate their own contract or use standard contractual clauses adopted by the European Commission or a supervisory authority in accordance with the consistency mechanism. The Danish Supervisory Authority has adopted such a document. However, standard contractual clauses in this context must be distinguished from the European Commission’s standard contractual clauses used for cross-border data transfers which, of course, are the subject of much discussion after Schrems II.
The EDPB does not consider it significant whether the controller or processor drafts the DPA and recognizes that, in many situations, larger processors will be in a better bargaining position than smaller controllers. However, that “imbalance in the contractual power” does not relieve the controller of its responsibility for ensuring GDPR compliance.
The Guidelines further emphasize that “the processing agreement should not merely restate the provisions of the GDPR: rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.” However, the parties also should consider the nature of the processing activity and are not necessarily required to implement stringent protections for low risk activities.
The DPA also must identify the subject matter, duration, nature, and purpose of the processing as well as the type of personal data and categories of data subjects. The Guidelines state that these disclosures must be specific and detailed and should be the product of considered analysis by the parties.
The Guidelines’ discussion of each of Article 28(3)’s requirements follows.
- Documented Instructions (Article 28(3)(a))
Article 28(3)(a) provides that the processing must be done on documented instructions from the controller. The Guidelines emphasize that these instructions must be documented and recommend that the DPA “include a procedure and a template for giving further instructions in an annex.” The Guidelines recognize that instructions can be provided in written from, such as email; however, it must be possible to keep a record of those instructions and, preferably, keep them together with the DPA.
If applicable, the DPA also must satisfy the requirements for any transfers to third countries or international organizations. The Guidelines do not reference the Schrems II decision or provide any further clarity on this issue in the wake of that decision. The EDPB has separately indicated that such guidance is forthcoming.
- Confidentiality (Article 28(3)(b))
Article 28(3)(b) provides that the processor should ensure that persons authorized to process the personal data have “committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.” The Guidelines clarify that this includes both employees and temporary workers. Further, the process should make the personal data available only to employees on a need-to-know basis. The confidentiality agreement must “effectively forbid the authorised person from disclosing any confidential information without authorisation, and it must be sufficiently broad so as to encompass all the personal data processed on behalf of the controller as well as the details concerning the relationship.”
- Technical and Organizational Security Measures (Article 28(3)(c))
Article 28(3)(c) provides that processors must “take all measures required pursuant to Article 32”, which Article requires the implementation of appropriate technical and organizational security measures. According to the Guidelines, the “contract needs to include or reference information as to the security measures to be adopted, an obligation on the processor to obtain the controller’s approval before making changes, and a regular review of the security measures so as to ensure their appropriateness with regard to risks, which may evolve over time.” The Guidelines recognize that the level of instruction will depend on the specific circumstances. However, as with the other guidance, the Guidelines emphasize that these measures must be specific to the situation and not boilerplate language.
- Sub-processors (Article 28(3)(d))
By incorporation, Article 28(3)(d) requires the DPA to incorporate the requirement that processors shall not engage another processor without the controller’s prior specific or general authorization and the requirement that any sub-processors be bound by the same requirements as the processor.
In the case of general authorizations, the processor has to inform the controller of any change in the use of sub-processors and give the controller an opportunity to object. The Guidelines recommend that this process be set forth in the DPA.
Of note, the Guidelines provide that “the processor’s duty to inform the controller of any change of sub-processors implies that the processor actively indicates or flags such changes toward the controller.” In a footnote, the EDPB clarifies: “In this regard it is, by contrast, e.g. not sufficient for the processor to merely provide the controller with a generalized access to a list of the sub-processors which might be updated from time to time, without pointing to each new sub-processor envisaged. In other words, the processor must actively inform the controller of any change to the list (i.e. in particular of each new envisaged sub-processor).”
Further discussion of the EDPB’s guidance with the respect to sub-processors is found below in the discussion of Article 28(2).
- Assist with Data Subject Requests (Article 28(3)(e))
Article 28(3)(e) provides that the DPA must require the processor to assist the controller with responding to data subject requests. The Guidelines state that the details of this assistance should be included in the DPA or in an annex thereto. The EDPB emphasizes that the controller maintains the responsibility of responding to the request although the practical management of such requests can be outsourced to the processor.
- Assist Controller with Article 32 to 36 Compliance Obligations (Article 28(3)(f))
Article 28(3)(f) requires the processor to assist the controller in ensuring compliance with the obligations in Articles 32 to 36. For reference, these articles are:
- Article 32 – Duty to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
- Article 33 – Notice to supervisory authority in the event of a security breach
- Article 34 – Communication of personal data breach to data subject
- Article 35 – Data protection impact assessment (DPIA)
- Article 36 – Duty of controller to consult supervisory authority prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk
The Guidelines state that the DPA “should contain details as to how the processor is asked to help the controller meet the listed obligations.” This can include adding procedures and template forms in annexes.
With respect to data breaches, the Guidelines recommend that the DPA provide a specific time frame for notification (e.g., number of hours), identify the point of contact for the notification, and specify how the processor shall notify the controller in the event of a breach.
- Deletion or Return of Personal Data (Article 28(3)(g))
Article 28(3)(g) provides that the processor shall, at the choice of the controller, delete or return personal data after provision of the services and delete any copies unless Union or Member State law requires that it be stored. According to the EDPB, if the DPA specifies one or the other, it should allow the controller to change that choice before the end of the services. If the personal data is deleted, it should be done securely, and the processor should confirm to the controller when the deletion has been completed within an agreed timeframe and manner.
- Verifying Compliance (Article 28(3)(h))
Finally, Article 28(3)(h) provides that the processor shall make available to the controller all information necessary to demonstrate compliance with Article 28, including allowing for and contributing to audits and inspections. The Guidelines state that the DPA should include details on how often and the manner in which the flow of information between the processor and the controller should take place.
- Written Authorization for Use of Sub-processors (Article 28(2))
As discussed, Article 28(2) provides that the processor shall not engage another processor without the controller’s prior specific or general written authorization.
For both authorizations, the processor must obtain the controller’s written authorization before any data processing is performed by a sub-processor. To do so, the processor needs to provide a list of intended sub-processors, including their locations, what they will be doing, and proof of what safeguards have been implemented. If sub-processors are known at the time of the DPA, the list of approved sub-processors should be included in the DPA or an annex thereto.
If a controller chooses to give its specific authorization, it should specify in writing the sub-processor and the processing activity that is authorized. Any changes will need to be approved by the controller. Only if the controller affirmatively consents will the authorization be approved. Notice and subsequent silence are insufficient.
For general authorization, the controller may approve a list of sub-processors in an annex to the DPA coupled with criteria to guide the processor’s choice of sub-processors (e.g., guarantees in terms of technical and organizational measures, expert knowledge, reliability and resources). For general authorizations, the processor still needs to provide the controller with notice of any intended additions or replacements of sub-processors and an opportunity to object. However, the controller’s failure to object can be interpreted as authorization. Consequently, for general authorization, notice and subsequent silence is sufficient.
In both cases, the DPA should provide details for the timeframe for the controller’s approval or objection and details on how the parties intend to communicate on the topic.
As discussed, the Guidelines are open for public consultation until October 19, 2020. However, given the intense scrutiny being applied to DPAs in the wake of Schrems II, entities should use this opportunity update their DPAs to ensure that they are consistent with the EDPB’s guidance.