Data Protection & CybersecurityPrivacy & Cybersecurity

New risks for tech suppliers with the GDPR?

Privacy obligations might be harder for technology suppliers with the new regime for data processors provided by the GDPR. Under the current regime prescribed by the EU Data Protection Directive 95/46, data controllers have acted as a kind of defence for processors against claims and liabilities towards individuals whose personal data is processed which could be addressed only against controllers.

But the quiet time for suppliers,

including cloud providers, Internet of Things suppliers and gaming suppliers is over!

What new risks for suppliers with the GDPR?

The main changes introduced are:

  1. individuals can file direct claims for damages against both data controllers and data processors (i.e. suppliers);
  2. data processors’ liability arises only if they did not comply with the obligations imposed specifically on data processors by the Regulation or did not act within the scope of the lawful instructions of the data controller;
  3. the burden of proof of not having caused damages is on the processor which shall prove that it was not liable;
  4. in case of more than one data controller or data processor, each controller/processor is liable for the refund of the whole damages;
  5. data processors are liable for the misconducts of the sub-processors appointed by them.

And the risks above are even more concerning if is considered that the applicable fines are now massive as previously discussed in this post.

Freedom of operation is a risk for suppliers

Suppliers have been traditionally quite reluctant in accepting GDPR obligations. And indeed, privacy clauses in standard supply/outsourcing agreements are just a few lines if drafted by suppliers. This scenario is expected to change

  • not only because the Regulation provides for a detailed list of information/instructions that have to be contained in the agreements through which data processors/suppliers are appointed;
  • but also because the Regulation expressly states that if a processor infringes the Regulation by determining the purposes and means of processing, the data processor shall be considered a data controller in respect to that processing.

And obviously in case of requalification of the processor as data controller, the potential risk exposure will become even higher.

New compliance obligations

Data controllers rely on their suppliers in ensuring GDPR compliance with reference to the services supplied by means of the provided technologies. This means that obligations such as

  • the performance of a privacy impact assessment;
  • the implementation of a privacy by design and a privacy by default approach; and
  • the adoption of a security by design methodology

will be on the supplier. And customers might require even independent certifications of compliance as provided by the provisions of the Regulation relating to the privacy by design. In any case this is no fully bad news given that such measures can act as protections in case of disputes.

Suppliers might not be aware of their processing of personal data

There is some uncertainty in suppliers as to what can be deemed to be personal data triggering the obligations to comply with the GDPR.

I have already discussed about the strict position of the Article 29 Working Party on the definition of anonymous data. The EU General Data Protection Regulation provides that personal data includes also data can be linked to an individual taking into account

all reasonable means likely to be used,

taking into account the potential costs and the amount of time required for identification.

And in relation to the above, the EU Privacy Regulation expressly extends the definition of personal data to identification numbers and online identifiers as well as to cases of pseudoymisation. What we are trying to do with some clients is to identify organization and technical measures that make quite difficult and time consuming the identification of the individuals behind the data.

It is likely that we will see the renegotiations of data processing agreements and the risks and the threshold of compliance is now much higher.

You may find also interesting on the same topic

#1 Which companies shall care about it?

#2 Will fines be really massive?

#3 Did you run a privacy impact assessment?

#4 New risks for tech suppliers

#5 What changes with the one stop shop rule?

#6 How the new privacy data portability right impacts your industry

#7 What issues for Artificial Intelligence?

#8 How to get the best out of data?

#9 Are you able to monitor your suppliers, agents and shops?

#10 What liabilities for the data protection officer?

#11 Are you able to handle a data breach?

#12 Privacy by design, how to do it?

#13 How data on criminal convictions of employees become a privacy risk

#14 Red flag from privacy authorities on technologies at work

#15 Need a GDPR compliant data processing agreement?

#16 Is your customers’ data protected from your employees?

#18 Data retention periods, an intrigued rebus under the GDPR

#19 Legitimate interest and privacy consent, how to use them?


Follow me on LinkedIn – Facebook Page – Twitter – TelegramYouTube  Google+

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our client's success.

Related Articles

Back to top button