News Articles
What are the actual obligations of data processors?
If you’ve been following the latest data protection news, you might have heard that under the GDPR, you can be either a data controller or a data processor.
>A “Controller’ is defined in the Regulation as: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
On the other hand the Regulation defines a processor as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
But the GDPR puts almost all the emphasis of enforcement on data controllers. So; what does a data processor have to do in terms of their obligations? They clearly have a very important role, even if it might not seem that way in purely legal terms.
Well, don’t fear; the info you crave is here.
A detailed list of the obligations on the processor that must be agreed to in their supplier contracts include:
- the subject matter, duration, nature and purpose of the data processing, together with the type of personal data concerned and the categories of data subject should be maintained;
- that personal data is only processed on documented instructions from the data controller, including with regard to international data transfers;
- that individuals authorised to process the personal data are subject to an obligation of confidentiality;
- that more prescriptive security measures are included;
- that the data controller is at minimum given notice of any sub-processors and have a right of objection;
- that all sub-processors are subject to the same contractual obligations as are imposed on the processor;
- that appropriate measures are taken to ensure the data controller can meet its obligations (e.g., to allow data subjects to exercise their rights); to keep data appropriately secure, to notify in the event of data breaches, to conduct data protection impact assessments and to consult with regulators where relevant;
- that all personal data is deleted or returned once the provision of services is completed; and to make available all necessary information and to allow for audits to be conducted in order to monitor compliance with the supplier contract.
GDPR - How Does It Apply to The Cloud?
The Cloud. Its all the rage with technology companies nowadays, and for good reason.
'Cloud computing' refers to the provison of information technology services over the internet.
These services may be provided by a company for its users in a ‘private cloud’ or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage.
All these types of cloud service commonly have the following features: The service’s infrastructure is shared amongst the supplier’s customers and can be located in a number of countries. Customer data is transferred around the infrastructure according to capacity. The supplier determines the location, security measures and service standards applicable to the processing.
Cloud service providers must consider whether either of these GDPR tests apply to them: Does the data processing relate to the activities of an EU establishment of the data controller using their services; or Does the data processing relate to offering goods or services to individuals in the EU, or to monitoring their behaviour, even when the data controller or processor is not established in the EU.
If either of them do, they MUST bring part or all of their processing operations under the remit of European data protection law. Even where these processing operations are not directly subject to the GDPR, if their customers are subject to the Regulation, those cloud customers (the data controllers) will be obliged to impose strict data processing contracts on the cloud service provider which contain many of the same controls on how personal data may be used. Moreover, the GDPR imposes certain conditions on the transfer of personal data outside the European Economic Area (EEA). Cloud computing will almost certainly involve international data transfers. The customer, as a controller, is responsible for compliance with the Regulation regarding transfers of its personal data. That means imposing extra controls to ensure “adequacy” of data protection.
Want to know how much personal data your company has on you? There’s an app for that!
Have you heard of subject access requests? Sounds a bit technical but it really isn’t. It’s just the process whereby a customer or employee of an organisation can request access to all the personal data that the company has on them.
Not only that, but the data has to be organised into a common-read, easily transferable document. This right for people in the European Union has been around a long time – specifically since the EU Data Protection Directive was passed in 1995. However, the upcoming GDPR really strengthens various aspects of that previous law and introduces new, more aggressive controls and rights.
For instance, with regards to subject access requests, the time limit that a company has to respond to your request has been reduced from 40 days to 30 days. Moreover, they can no longer charge for any request that you send them. Most importantly though, the entire culture of privacy is changing, and fast. No longer can organisations act as if these data processes are a side issue not worth their time or concern.
The right of access to personal data is only one of many rights that are either introduced or reinforced in the GDPR, and it’s part of your duty as a citizen to be aware of, and exercise those rights, not only for your own good but as a catalyst for positive social change as well.
On the other hand, these new requirements may put considerable administrative burdens on companies who aren’t prepared for the upcoming privacy provisions. It’s all about being aware and getting prepared. As long as you have a process in place, May 25th shouldn’t be a massive headache.