Sub-processing agreements in line with the GDPR – when you share personal data

It happens quite often that when running a business, you share personal data of your customers, counterparties or colleagues with other entities as part of outsourcing. When a third party uses personal data which they did not collect on their own, they should have a basis for such use.

Today, I will analyse a sub-processing agreement in line with the GDPR and I will explain what entrusting the processing is.

Entrusting the processing of personal data

Entrusting the processing of personal data is equivalent to sharing personal data with someone else. Sharing, which is fully regulated by a controller — i.e. it is the controller who decides which data to make available, to what extent, for what reason and for what purpose. The most important thing is that the third party is to process these personal data on behalf of the controller.

Who is a controller?

A personal data controller is a person who manages personal data. He or she collects them directly or indirectly to a database. It is often the controller who is granted a consent to send marketing information. The controller decides about the purpose, time and scope of using personal data.

The concept of a controller does not change significantly under the provisions of the General Data Protection Regulation (GDPR) as compared to what is currently the case.

If it were to happen that this third party exceeded its powers, it would become in a way a controller of personal data, to the extent that it does not relate to the purpose established by the original controller. This party will be responsible for the processing of these data in the same way as the controller. The same would apply to the sale of personal data.

Otherwise, if you decide simultaneously, jointly and by agreement, with another entity, about the use and purpose of personal data, you will be joint controllers. If you want to establish such a relationship, it is worth to do it in the form of a contract. I will certainly write about this soon.

When we entrust the processing of personal data

There are many situations where the controller entrusts the processing of personal data which they have collected themselves. The entrustment may occur in relation to, among others:

• a hosting/server service provider;
• an accounting office;
• associates under civil law agreements;

This depends on whether personal data are processed by this person, whether the person can be considered a staff member or whether we are talking about an external third party.

It is with this third party that the controller must conclude a personal data sub-processing agreement.

If you are talking about employees under employment contracts or associates under civil law agreements whom you can qualify as the controller’s staff, you can grant such a person appropriate authorization — instead of entering into a separate sub-processing agreement with them.

Sub-processing agreement — composition

The General Data Protection Regulation identifies a number of obligations that we, as processors, have to fulfil — and therefore the essential elements that a sub-processing agreement must contain:

• the subject of the processing;
• the duration of the processing;
• the nature and purpose of the processing;
• the type of personal data;
• the category of data subjects;
• obligations and rights of the controller;
• obligations of the processor.

In accordance with Article 28(3) of the GDPR, an agreement or other legal instrument states in particular that the processor:

1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. takes all security measures required pursuant to Article 32 (GDPR);
4. respects the conditions referred to in Article 28(2) and (4) (GDPR) for engaging another processor;
5. taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
6. assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (GDPR) taking into account the nature of processing and the information available to the processor;
7. at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
8. makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

In addition, in relation to the obligation set out in point (h) above, the processor will inform the controller immediately if they consider that the instructions given to them constitute a breach of the GDPR or other European Union or Member State legislation on data protection.

As can be seen above, the GDPR imposes much more obligations on controllers in terms of the construction of a sub-processing agreement itself. Below I present the elements that be included in a sub-processing agreement under the current law (Act on the Protection of Personal Data as of 16/02/2018):

Art. 31 of the Act on the Protection of Personal Data:

1. The controller may authorise another subject to carry out the processing of personal data pursuant to a contract concluded in writing.
2. The subject, referred to in paragraph 1 above, may process the data solely within the scope and for the purpose determined in the contract.
3. The subject, referred to in paragraph 1, prior to processing the data shall be obliged to provide security measures protecting the data filing system, as defined in Articles 36–39 (the Act on the Protection of Personal Data), and to meet the requirements specified in the provisions referred to in Article 39a (the Act on the Protection of Personal Data). With regard to the observance of these provisions, the data subject shall bear the liability as the controller.
4. In cases referred to in paragraphs 1 to 3, the liability for compliance with the provisions hereof shall remain with the controller, whereas the contracting party shall not be exempted from the liability in case the data are processed in a way incompatible with the contract.

I mentioned the minimum requirements — the GDPR indicates the scope which should be covered by a sub-processing agreement, however, nothing prevents the agreement from developing in a wider, more detailed way the obligation between the controller and the entity to which we entrust the processing of personal data.

Sub-processing agreement in practice

Knowing the elements a sub-processing agreement should consist of, it is enough to provide answers to the following questions, e.g.:

• what data will be entrusted to a given entity;
• what activities this entity will be able to carry out using that data;
• for how long the entity will be able to process that data;

Preparation of a sub-processing agreement requires familiarization with the processes taking place in a given activity. As you probably already know, the purpose of the whole GDPR is, among others, to make entrepreneurs aware of the security issues and to get them familiar with the problems related to the processing of personal data.

Written form of a sub-processing agreement

According to the legal status in force until May 2018, the sub-processing agreement may be concluded only in writing. Despite this requirement, large corporations did not, of course, send the original versions of the agreements to each of their customers, but only signed scans. However, a scan is not a written form.

The GDPR meets the needs of the Internet users. A sub-processing agreement may be concluded in writing, including electronically. Despite the fact that the electronic form is indicated in the Polish legislation, in this case we have to look at it in respect of the GDPR from a European perspective — very broadly.

Finally, personal data, a sub-processing agreement and the General Data Protection Regulation are business aspects which cannot be disregarded if you process personal data in any way. When disclosing personal data that you have received from customers to third parties, you should adequately secure them by entering into an appropriate sub-processing agreement.