The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If a service provider has self-certified to Privacy Shield, are you required to put additional GDPR-related contractual provisions in place?
Answer: Yes. The GDPR imposes two requirements when a company (referred to in the GDPR as a “data controller”) uses a service provider (referred to in the GDPR as a “data processor”).
The first requirement is that if a data controller is based in the EEA and is transferring personal data to a processor that is based outside of the EEA, the parties must take steps to ensure that the jurisdiction in which the data is going affords the data “an adequate level of protection.”1 When the GDPR refers to an “adequate level of protection” it is not talking about the security of the data. Instead, it is referring to the protections afforded by the laws of the country to which the data will be transferred.
Under the GDPR, a jurisdiction typically affords data an “adequate level of protection” if one of four factors exist. First, the EU Commission can evaluate the laws of the foreign country and find that they are per se similar in nature to the GDPR. Second, the entity that will be receiving the data can enter into “binding corporate rules.” These refer to internal policies and procedures that have been presented to, and approved by, European data protection authorities.2 Third, a legally binding and enforceable instrument can be created between governments to facilitate the transfer of data. An example of such an instrument is the EU-US Privacy Shield framework that was negotiated, and approved by the EU Commission, in 2016.3 Fourth the parties can include contract provisions that have been pre-approved by the EU Commission as contractually guaranteeing an “adequate level of protection.”4
The second requirement imposed by the GDPR is that every service provider agreement must contain thirteen specific contractual provisions. Given the public attention paid to Privacy Shield, many contracting parties assume that the fact that a service provider has self-certified to the Privacy Shield framework satisfies each of these thirteen requirements. Unfortunately, self-certification does not. The following chart summarizes the thirteen requirements within Article 28 and indicates which of those requirements are satisfied, partially satisfied, or not addressed by a company that self-certifies to Privacy Shield:
|
GDPR
|
Privacy Shield
|
|
Summary of Requirement
|
Reference
|
Requirement Satisfied by Privacy Shield
|
Explanation
|
|
1. Description of Processing. The contract must specify:
1. subject matter of processing.
2. duration of processing.
3. nature and purpose of processing.
4. type of personal data to be processed
5. categories of data subjects about which the data relates.
(c/p)
|
Art. 23(3)
|
Gap
|
Privacy Shield registration does not in of itself specify the type of personal data processed, the categories of data subjects involved, or the scope of permissible processing.
|
|
2. Documented Instructions. A service provider can only process personal data consistent with a controllers documented instructions.
(c/p)
|
Art. 28(3)(a)
|
Gap
|
Privacy Shield recognizes that a data controller in the EU is “always required to enter into a contract when a transfer for mere processing is made . . . whether or not the processor participates in the Privacy Shield, and that the purpose of the contract is to “make sure that the processor acts only on instructions from the controller.”5
|
|
3. Confidentiality. It must contain a confidentiality provision. That provision must ensure that persons authorized to process personal data have committed themselves to confidentiality.
(c/p)
|
Art. 28(3)(b).
|
Partial Gap
|
The purpose limitation contained in Principle 5(a) might be interpreted as precluding a service provider from disclosing personal data, as such disclosure would presumably be “incompatible with the purposes for which [the data] has been collected . . . .”
|
|
4. Processor Security. Service provider will implement appropriate technical and organizational measures to secure information.
(c/p)
|
Art. 28(1)
Art. 28(3)(c)
Art. 32(1) (
|
Satisfied
|
Privacy Shield requires “Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.”6
|
|
5. Subcontracting authorization. A service provider must obtain written authorization before subcontracting, and must inform the Company before it makes any changes to its subcontractors.
(c/p)
|
Art. 28(2)
Art. 28(3)(d).
|
No.
|
Privacy Shield requires that a registrant ensure that its service providers only use information for “limited and specified purposes.”7 It does not, however, require that a registrant that is acting as a data processor obtain the consent of the data controller prior to the use of a subcontractor.
|
|
6. Subcontracting flow down obligations. Service provider will flow down these obligations to any subprocessors.
(c/p)
|
Art. 28(3)(d) Art. 28(4)
|
Partial Gap
|
While Privacy Shield does have some flow down obligations, as not all of the provisions that must be placed in contracts by GDPR are inherent in Privacy Shield, flow down provisions created by Privacy Shield do not cover the full scope of the flow down obligations in GDPR.
|
|
7. Subcontracting liability. A service provider must remain fully liable to the controller for the performance of a sub-processors obligations..
|
Art. 28(3)(d)
|
Partial Gap
|
The Privacy Shield references that an organization remains
“liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles unless the organization proves that it is not responsible for the event giving rise to the damage.”8 It is not clear whether the exception to liability in Privacy Shield is consistent with the liability provisions in the GDPR.
|
|
8. Responding to data subjects. Service provider will assist the Company to respond to any requests by a data subject.
(c/p)
|
Art. 28(3)(e)
Art. 12 – 23
|
Partial Gap
|
Privacy Shield requires that a service provider grant access, rectification, and deletion requests to a data subject.9 This may be at odds with GDPR which requires that a service provider cooperate with the data controller, but permit the data controller to respond to such requests.
|
|
9. Assisting Controller In Responding to Data Breach. Service provider will cooperate with controller in the event of a personal data breach.
|
Art. 28(3)(f) Art. 33 – 34
|
Gap
|
Privacy Shield does not discuss the obligation of a service provider to cooperate with a controller in the event of a personal data breach.
|
|
10. Assisting Controller In Creating DPIA. Service provider will cooperate with controller in the event the controller initiates a data protection impact assessment.
|
Art. 28(3)(f)
Art. 35)
Art. 35-36
|
Gap
|
Privacy Shield does not discuss the obligation of a service provider to cooperate with a controller to conduct a DPIA.
|
|
11. Delete or return data. Service provider will delete or return data at the end of the engagement.
(c/p)
|
Art. 28(3)(g)
|
Partial Gap
|
Privacy Shield prohibits maintaining information in an identifiable manner after it has served its permissible purpose.10 Note, however, that it does not mandate that the data be deleted or returned at the election of the data controller.
|
|
12. Audit Right. Service provider will allow Company to conduct audits or inspections for compliance to these obligations.
(c/p)
|
Art. 28(3)(h).
|
Gap
|
Privacy Shield requires that the registrant conduct their own audits of their internal privacy practices; it does not guarantee that a data controller has audit rights vis-à-vis a data processor.
|
|
13. Cross-border transfers. Service provider will not transfer data outside of the EEA without permission of Company.
(c/p)
|
Art. 28(3)(a)
Art. 46
|
Gap
|
Privacy Shield does not prohibit a service provider from doing an onward transfer to a Subprocessor that is located outside of the EEA (or outside of the US).
|
[View source.]
