Entrusting processing of personal data

Quite often it happens that an entrepreneur performing operations on personal data does not become their controller. Despite the fact that it processes data, someone else is their controller. It is even possible that the entity performing all activities on data (from collection, through all operations related to the provision of services to the person whose data is processed, to deletion) will not be their controller at all. And at the same time, the controller will be an entity that has no access to the data at all. Such situations are referred to as entrusting the processing of personal data.

Either controller or processor

When dealing with personal data, you can be either a controller or a data processor on behalf of the controller (also known as a processor). There is no other possibility. Therefore, the definition of a data controller specified in the GDPR^[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is of key importance. I wrote more about the controller here, and now I only briefly remind. The GDPR defines the controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. So if, when processing data within your company, you have an impact on the purpose and how the data is processed, you are their controller. If not, and you still process them, you are only a processor.

My favorite example of this distinction is organizing a promotional competition by a marketing agency. There are two possible situations – the agency can be both a processor and a controller. The way of arranging the legal relationship between the principal and the agency within such cooperation determines the status of the principal and the agency on the ground of the GDPR.

1. Agency as a processor

If the principal, commissioning the agency to conduct the contest, specifies exactly what the contest mechanism is to be, including what specific data of participants are to be collected and then how they are to be processed, then the principal will be the controller. The Agency, following the detailed instructions of the controller, will only process personal data as a processor.

2. Agency as a controller

However, a completely opposite situation is also possible. The principal may commission the agency to carry out marketing activities promoting his brand, but he may not necessarily be interested in what these activities will be. If, in such a situation, the agency independently decides to organize the competition, specifying its mechanism and what will happen to the participants’ personal data, it should be considered that the agency will be their controller. However, this does not mean that the principal will automatically be a processor – he may not have access to this personal data at all.

Entrusting processing of personal data

The processing of personal data on behalf of the controller is commonly referred to as entrusting the processing of personal data. The GDPR does not use such a term, but it was present in the previous version of the Polish Personal Data Protection Act (in force before the GDPR). Apparently, it took root so firmly that it is still used today.

When entrusting the processing of personal data, the controller should exercise due diligence and select an entity ensuring compliance with the relevant standards. The GDPR requires the controller to use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject (Article 28 sec. 1 of the GDPR). It is best to think about this at the stage of concluding the contract, which is mentioned below. It should include relevant statements and obligations on the part of the processor.

Personal data processing agreement

The GDPR states that “processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller”. Since in the case of small entrepreneurs only the contract is usually an option, I will focus on it.

Form of personal data processing agreement

The form in which the contract should be concluded causes some doubts. Art. 28 sec. 9 of the GDPR specifies that such a contract should be in “in writing, including in electronic form”. While the issue of the written form seems to be clear, the definition of “electronic form” is much more difficult on the ground of the Polish law.

According to art. 78¹ of the Polish Civil Code, in order to have the electronic form of a legal act, it is sufficient to make a declaration of will in electronic form and sign it with a qualified electronic signature. However, many companies, concluding contracts for entrusting the processing of personal data, use the mechanism of its acceptance by clicking a button on the website. Based on the literal interpretation of the wording of the GDPR, this is not the correct approach and in such a situation the contract file should be signed with a qualified electronic signature.

It seems that this was not the intention of the EU legislator. Analyzing the practice in other countries, personal data processing agreements are easily concluded via the internet without the burdensome obligation to use a qualified electronic signature. I suspect that in Poland the problem arises from the specific definition of electronic form in the Polish Civil Code and the unfortunate use of the term “electronic form” in the Polish translation of the GDPR. In other countries, the electronic form does not necessarily mean that the contract must be signed with a qualified electronic signature. The use of a relatively new concept of documentary form in Polish law would be a much better solution and would save data controllers a lot of doubts.

Content of personal data processing agreement

The GDPR also contains guidelines on what must be included in the personal data processing agreement. According to art. 28 sec. 3 the controller should ensure that the contract specifies:

• subject-matter and duration of the processing,
• the nature and purpose of the processing,
• the type of personal data and categories of data subjects,
• the obligations and rights of the controller,

and also shall stipulate in particular that the processor:

• processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the processor is subject,
• ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality,
• takes all measures required pursuant to art. 32 of the GDPR,
• respects the conditions referred to in art. 28 sec. 2 and 4 of the GDPR for engaging another processor,
• taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR,
• assists the controller in ensuring compliance with the obligations pursuant to art. 32-36 taking into account the nature of processing and the information available to the processor,
• at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data,
• makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Because introducing the above catalogue GDPR uses the phrase “in particular”, it should be considered that this is only the minimum scope of the contract for personal data processing. The controller, according to the situation, should also include other provisions in the contract to ensure adequate protection of personal data.

Sub-processor

Sometimes there is a need for the processor to engage further processors who will also process personal data on behalf of the controller. The GDPR allows for such a possibility, but the decision in this regard always should be taken by the controller (art. 28 sec. of the GDPR). The processor shall not engage another processor without prior specific or general written authorization of the controller. On the other hand, in the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. It is worth considering adding to the personal data processing agreement relevant provisions regulating the use of sub-processors by the processor.

If the processor already uses the services of a further processor, the same rules apply as in the case of the involvement of the processor. According to art. 28 sec. 4 of the GDPR, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

Where the other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.

Liability of processor

Financial penalties

In the event of violations by the processor of the principles of personal data processing set out in the GDPR, the question arises who is responsible for it – the controller or the processor? Or maybe both of them?

Certainly, the controller should select the processor taking into account the criteria set out in art. 28 sec. 1 GDPR (described above). For such failures, the controller is exposed to a penalty that may be imposed by the President of the Office for Personal Data Protection.

However, if the controller has correctly selected the processor, concluded an appropriate contract with it, and as a result of incorrect actions of the processor, there is a breach of personal data protection, the situation is not so obvious. It all depends on the situation. This issue has already been raised in the decisions of the President of the Personal Data Protection Office and in the jurisprudence of Polish courts. For example, the judgment of the Voivodship Administrative Court in Warsaw of October 5^th, 2021 (files no. II SA/Wa 528/21), in which the court found, among others: “Making the correct choice of the data processor does not release the controller completely from obligations related to data processing and liability for their violation. However, it does not allow the controller to be held fully liable for a breach of the law leading to a breach of personal data protection for reasons attributable to the processor”. The above judgment confirms that this issue may be resolved differently depending on the facts. The key in this regard is what are the possibilities of the controller’s actions and what can have an actual impact on the processor. The more elements independent of the controller, the more liability shifts from the controller to the processor.

Compensation for the data subject

Article 82 sec. 1 of the GDPR provides that any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. In this regard, both the controller and the processor may be liable. Moreover, it is joint and several liability.

Furthermore, the GDPR specifies that the processor is liable for damage caused by processing only if he has failed to comply with the obligations that the GDPR imposes directly on processors, or if it has acted outside or against the lawful instructions of the controller.

Contractual liability

The processor is also contractually liable towards the controller for damage caused by non-performance or improper performance of the obligations specified in the personal data processing agreement. The contract may also provide for contractual penalties.

Modifying purposes or means of processing by processor

A very important issue in terms of liability is a situation where the processor independently changes the purposes or means of processing personal data. According to Art. 28 sec. 10 of the GDPR, in such a situation he will be considered the controller in relation to this processing, with all the consequences of non-compliance with the provisions of the GDPR.

Examples of entrusting personal data processing

Finally, a few examples of situations where entrusting of the personal data processing occurs. Remember, it is crucial to determine whether the entity to which you provide data in any scope decides on the purposes or methods of data processing. If so, he becomes their independent controller. However, if not, it means that you entrust it with processing. These may be the following situations:

• hosting service provider,
• a marketing agency carrying out promotional campaigns in accordance with your guidelines,
• your subcontractors.