Do you monitor the privacy compliance of your suppliers, agents & shops?
The EU Privacy Regulation obliges to put in place a more stringent monitoring on suppliers, agents and shops to avoid liabilities and damages.
I had already discussed in a previous post about the new risks/liabilities that the EU General Data Protection Regulation (GDPR) poses on suppliers, agents, shops (e.g. in case of retailers and fashion companies) and in general terms those entities that process personal data on behalf of third parties, the so called “data processors“. But this post looks at the issue from the perspective of the party (the “data controller“) that instructs the data processor. Also, if you can review below the other posts of this series below
What changes in the data processing agreement?
Up until now, my personal experience has been that there was a tendency to draft data processing agreements or letters of appointment of data processors with a standard format which was used for any type of supplier, agent or contractor, regardless of the categories of data and modalities of data processing activity that it was meant to perform.
The scenario completely changes with the EU Privacy Regulation that will oblige companies to renegotiate all the data processing agreements with those entities processing personal data on their behalf, such as their trade agents, cloud or IoT suppliers, payroll providers, retail shops etc.. Indeed, the GDPR provides for a detailed list of instructions that have to be contained in the agreement.
How long is the line of processing?
Data processors shall be instructed to “not engage another processor without prior specific or general written authorisation of the controller“. This is a principle which is “in theory” already in place, but we had clients where the “line of data processing” was made of 5+ entities which were sometimes almost totally ignored by the data controller that had not even been notified of their identity. The EU Data Protection Regulation introduces more flexibility in appointing processors that act on behalf of other processors, but such flexibility still requires that data controllers are able to have at any time a full picture of the data processing activities performed on their behalf.
Is data kept secure and you have full control of data breaches?
Data processors need to be required to comply with the same “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” that are imposed on the instructing party (i.e. the data controller). But how is this complied with by for instance banks or insurance companies that usually have thousands of independent trade agencies on the territory which in some cases are small companies? Likewise, can companies still rely on services provided by start-ups or small/medium sized companies?
Also, a procedure for the notification of data breaches (i.e. unlawful access of personal data) shall be put in place. This might be easy in the cases of well structured entities (e.g. a cloud provider), but again when we have our small trade agents that lose their laptop and do not notify a data breach to the instructing party as they don’t want to risk to lose their client, a major issue might arise.
How are audits performed?
The GDPR requires that the data processor commits to make available to the controller all information necessary to demonstrate compliance with its privacy obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
This obligation is reinforced by the need for data processors to keep a “record of all categories of processing activities carried out on behalf of a controller“. Indeed, let’s consider for instance a cloud provider or a trade agent that might process personal data on behalf of a large number of entities, such entities shall keep a record of the categories of processing activities carried out by each of their customers.
Your defence cannot be the data processor’s privacy misconduct
The feedback that we usually receive from some clients is that they cannot be held liable for their data processors’ misconduct if the latter contravened to the instructions provided by them. It is true that in case of such misconducts the data processor itself will risk the “famous” very large fines, but the GDPR introduces the principle of accountability that places the burden of proof of demonstrating compliance with privacy obligations on the data controller.
This means that the mere execution of a “standard” data processing agreement would not suffice. This has to be accompanied at least by periodic trainings (e.g. by means of webinars), audits and procedures aimed at checking data processors’ level of compliance and correcting potential misconducts.
Likewise, data controllers shall ensure that the security measures put in place by data processors are compliant, and this might be ensured for instance obliging agents to perform any activity carried on behalf of a controller in a “safe” virtual environment set up by the controller.
Also, it is crucial to have a procedure to handle the termination of agreements in order to ensure that an illegal processing of personal data or a data breach occurs just because the supplier/agent keeps some data on its devices/servers.
How do you select your agents, suppliers and shop personnel?
Because of the scenario above, the selection of agents, suppliers and shop personnel will require a much more detailed due diligence on them. Data protection authorities have not yet accredited certification entities which might certify the level of privacy compliance of their clients, but this is likely to become in the long term a “must-have” or at least will represent a competitive advantage.
Regardless of the presence of any sort of certification, it is recommendable that – at least prior to the coming into force of the EU General Data Protection Regulation – companies
- map all their suppliers, agents and their sub-processors that shall be disclosed;
- oblige those entities to provide the registry required by the GDPR, outlining – among others – all the data processing activities performed on behalf of the instructing company and the measures put in place to protect personal data;
- exclude those suppliers/agents/contractors that are too small or reluctant/unable to comply with the GDPR privacy obligations, requiring in any case suppliers to have a very limited line of data processors;
- perform – even remotely through webinars with multiple questions – a training on the measures required by the GDPR and repeat such training at least every other year;
- enter into a new data processing agreement with such entities compliant with the terms of the GDPR;
- perform periodic random audits and have in place technical measures aimed at identifying potential illegal access or processing of personal data processed on their behalf; and
- require each supplier/agent/contractor to send at the end of each year the updated version of the registry of point 2 above together with a statement conforming the full compliance with the GDPR and the lack of any event to report.
If you found this article interesting, please share it on your favourite social media!
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.