This article talks about roles and responsibilities of data controllers and data processors and the direct obligations on data processors in binding contracts. Due diligence on vendors and other third-party services is illustrated, as well as the non-transferrable liability within contracts under the GDPR and its implications.
What you need to know in a nutshell
- A data controller determines how personal data is processed, the data processor acts on behalf of the data controller
- For data processors there are specific obligations in regard to personal data
- International data transfer rules must be considered for compliance
- Sub-processors should not be authorised without authorisation of the data controller
- Sub-processors can also be held liable for non-compliance
In this article
- Roles and responsibilities of a Data Controller: The fundamentals
- Direct obligations of Data Processors
- Can a processor be held liable for non-compliance?
- Sub-processors liability for non-compliance
- Due diligence in services
- Mind the contract
Roles and responsibilities of a Data Controller: The fundamentals
Data controllers and data processors are both important terms which define the role of an organization in a data processing relationship. A data controller is a person or organisation who determines the purposes and ways in which personal data is processed. The data processor, however, is anyone who processes personal data on behalf of the data controller.
Often, a data controller will carry the primary responsibility to uphold and apprehend data protection principles. It is the primary responsibility of a data controller to implement safeguards to protect the processing of personal data from participating parties and individuals. Data controllers could also be held liable to data subjects for any non-compliance of a data processor.
Thus, data controllers are expected to work with data processors who have the appropriate technical and organisational measures in place to comply with the data protection law. Processors, however, are also expected to follow relevant guidelines to demonstrate their own compliance with data protection law, as well follow the processing instructions received from the data controller.
Direct obligations of Data Processors
Data Processors have specific and direct obligations in regard to personal data. At all times, they must enter into binding contracts with the data controller to maintain data security and implement adequate technical and organisational measures. Their work must evidence accountability, and they need to be prepared to be audited at any given time.
The International Data Transfers rules must also be considered for optimal compliance. In particular, if a Processor’s duties are outsourced and the outsourcing service is based out of the UK or EEA, they must be prepared to demonstrate that the correct safeguard are in place to secure the personal data whilst is being processed in a third country. Processors must follow the instruction of a data controller unless data protection infringements have otherwise been identified and communicated to the data controller.
In some cases, processors might engage sub-processors, and therefore, it is advised that data processors do not engage sub-processors without the controller’s authorisation, unless otherwise stipulated in the contract. When sub-processors are involved, the data processor is fully liable to the Controller for the sub-processor’s compliance, and under Article 82(5) of the UK GDPR, if a sub-processor is at fault, the data controller may claim back compensation from the data processor for their sub-processor’s failings.
Click here to watch the whole speech and gain useful insights.
Can a processor be held liable for non-compliance?
A data processor could be liable for breach of contract if the event of failure to comply with the instructions imposed on by the data controller and with the contractual terms agreed with the controller.
In cases of failure to comply with the law, the data processor will be subject to investigative and corrective actions taken against them – such corrective actions may impose administrative fines, including any other penalties.
Finally, the Data Processor can face legal claims filed against them by any individual whose data they process. For example, Article 82 of the UK GDPR imposes liability to pay compensation for any distress or non-material damage caused to the individual.
Data processors should keep in mind that if they begin to determine the means of the processing, they will be considered a controller in respect to that processing.
Sub-processors liability for non-compliance
Sub-processors may also be held liable when they fail to comply with any legal obligations imposed on data processors. They may also be held liable if they act above and beyond the Data Controller’s instructions.
Data processors are to be held liable to the data controllers for a sub-processor’s shortcomings. Under Article 82(5) of the UK GDPR, the data controller can claim compensation from the processor for any failures of the sub-processor. The sub-processor itself also has contractual obligations to the Data Processor where a sub-processing contract is established.
The processor must impose the same data protection obligations as set out by the controller. In the subprocessing contract, the processor should establish instructions they receive from the controller.
Due diligence in services
Another important topic in data protection is the due diligence in services, an area in which parties often fall short. Like any other commercial relationship, a due diligence process should be carried out before engaging any third party and wherever the processing of data is involved.
Such due diligence processes should answer:
Usually, organisations will create vendor risk assessments, which assess the privacy program of the vendor. Assessments also help the contracted party identify any areas of risk and concerns. Such risks can be anything from packing, theft and unauthorized access, and misuse of data.
By the way: If you want to assess your own business in terms of the ISO 27001 certification, which plays an important role also in a Due diligence process, feel free to use our free readiness assessment.
Once a list of risks has been compiled, a data protection impact assessment may as well be carried out to understand the level of risk and find ways for risk mitigation.
In cases where a Data Controller wants to engage a Data Processor who has had multiple data breaches in the past few years, the Data Controller may wish to implement stricter instructions on that particular processor. These include strict technical and organisational measures that are to be regularly reviewed by the Controller itself.
A data protection assessment should ask questions to assess the risk appetite of third parties such as:
There are often consequences for misjudging risks, including high costs and losses. Consequences include statutory compensation, regulatory actions carried out by the ICO and actions brought in by other regulatory bodies. Such bodies include the Financial Conduct Authority or the Gambling Commission for anti-money laundering and data protection due-diligence checks.
Mind the contract
Liability in the contract between a Controller and a Processor is not transferable. A Data Processing Agreement is a legally binding contract and may include limitations of liability and indemnity terms. However, under the UK and EU GDPR, it is impossible to relieve either party of their legal responsibility. If personal data is not lawfully processed, the individual has a legal right to compensation.
It is important to highlight that there are no circumstances under which a Data Controller can exclude liability to an individual or a supervisory authority and this is also applicable where an incident occurs from a data processor’s fault.
Do you have unanswered questions about Data Controller or Data Processor? Don't hesitate to reach out to one of our experts for a free consultation.