Published by Alisha McKerron on 3 October 2018
In today’s privacy climate, it is easy for companies to rush into signing data processing contracts with their service providers, for a variety of reasons. The most obvious reason is that, no one wants to breach the General Data Protection Regulation (“GDPR”) (art 28(3)) and Data Protection Act 2018 (s 59(5)), which provide that processing done by a processor on your behalf (as data controller) must be governed by a written contract between you and the data processor. The new sanctions under GDPR for breaches are too severe to be ignored.
Another reason for companies rushing to sign is an increased likelihood of breaches; the new definition of processing is all encompassing, and the definition of personal data is much wider. The new regime also requires that certain mandatory provisions be present in data processing contracts, which has meant that old data processing contracts might need to be updated by new ones, if not compliant with the new provisions.
However, is it always necessary to sign data processing contracts? Yes, service providers may have historically preferred to be classified as data processors as opposed to data controllers, in order to benefit from the less onerous obligations imposed on them by pre-GDPR laws. However, since the GDPR is far stricter on data processors, this argument no longer makes sense – and so it’s now necessary to consider whether your service providers really are data processors under this new law. The question is best answered with firstly a clear understanding of GDPR and secondly an understanding of the service being provided.
Starting with GDPR, the official guide from the Information Commissioner’s Office (ICO) (the relevant Supervisory Authority for the UK), although not up to date, is helpful in explaining the difference between the two roles and provides various examples of service providers including a market research company, a payment service company, a mail delivery company, solicitors, accountants, IT services (a vehicle tracking company) and a cloud provider (a storage service provider). In its examples its concludes that only one out of the seven is a data processor: the storage service provider; five out of seven are data controllers: the market research company, the payment service company, solicitors, accountants and the vehicle tracking company; and the mail delivery service is neither a data controller or data processor.
What is interesting is that, if you asked a person with no knowledge of GDPR, to classify each provider as either a data controller or a data processor, they would probably guess that the storage service provider is the data controller and all the rest are data processors! This is because, it seems logical to assume that the first six service provider will be processing personal data on behalf of their clients, and therefore are data processors, and that the storage service provider, which stores and seemingly controls the data, must therefore be a data controller.
IT service providers can be difficult to classify correctly. This is because of the technical complexity involved, and different ways the information technology services are delivered e.g. on-premises (where software is run on your premises) or off-premises (where software is run on the service provider’s servers, which aren’t under your control). There are also many different IT services providers such as hosting service providers, managed service providers, storage service providers and application service providers to name a few.
The only way to come up with the correct answers is to carefully consider the GDPR definitions.
“ ’processor’ means a natural or legal person,……….. which processes personal data on behalf of the controller;” art 4(8) of GDPR
“ ‘controller’ means the natural or legal person,……….. which, alone or jointly with others, determines the purposes and means of the processing of personal data;” art 4(7) of GDPR
Every instance needs to be considered on its own, for example ICO concludes that a vehicle tracking provider is a data controller, which might lead you to conclude that a video conferencing service provider is too, when it is not.
A vehicle-tracking provider installs hardware (devices in cars) and monitors them (on its servers) so that cars can be recovered if they go missing. Although the service it provides, is to track and send back location data in certain circumstances, the vehicle-tracking provider is a data controller in its own right. This is because it has sufficient freedom to use its expertise to decide which information to collect about cars (and their drivers) and how to analyse them for its own purpose i.e. making decisions in relation to purpose and means.
A video conferencing service provider installs hardware (screens and computers) for example in your conferencing suites and uses its own software and technical expertise to allow people to videoconference with each other. Unlike the vehicle tracking provider there is not the same freedom to decide which information to collect and use. This is because all the personal data the service provider holds in connection with the service, would be provided by yourselves- therefore the video conferencing provider has no scope to use the data for any of its own purposes. Unlike a vehicle tracking provider, the video conferencing provider is a data processor.
What about IT Managed Service Providers (MSP’s) which retains responsibility for the functionality of IT services and equipment and allow you to benefit from predictable pricing and the ability to focus on core business concerns rather than IT management chores?
Although a MSP may decide such matters as what IT system to use to collect personal data, and how to store, secure, and transfer it, (all seemingly control functions) these are technical decisions which a data processor is free to make. You would retain exclusive control over the purpose for which the data is processed and the manner in which the processing takes place. As in the example above, all the personal data the MSP holds in connection with the service would be provided by you. Accordingly, the MSP is a data processor.
There are many other examples that can be considered; so long as one is constantly considering who exercises overall control over the ‘why’ and the ‘how’ of a data processing, the distinction between the roles should become clear.
Understanding the services being provided
With regards the second leg namely understanding the services being provided, this is largely dependent on the relationship you have with our service providers. Where service contracts have been agreed some time ago, this can be a real challenge; memories fade, personal may have moved on to another department or company and the service provider is not incentivised to co-operate fully since it has a service contract in place. Accordingly, it is important not to neglect the relationship you have with your service providers.
It is also useful to bear in mind, uncertainty about each party’s role can not only result in unnecessary data processing contracts, but more worryingly, prevents each party from determining where responsibility lies. This is essential to know, for example in the event of personal data being hacked.
In summary, in today’s privacy climate, one should not rush into signing data processing contracts or to update existing data processing agreements without a good understanding of GDPR and an understanding of how the delivery of services impacts the collection and processing of personal data. Since this is not so easy to do on one’s own, it seems prudent to make every effort to forge an open and collaborative relationship with one’s service providers.