Data Processing Agreements: Make Sure It Is Clear Who the Controller Is

If you’re what’s known as a “process owner” at your company (for example, you’re responsible for recruitment or organizing a competition), it’s very likely that you’re also responsible for finalizing an agreement related to the processing of personal data within “your” process. In many cases, you’ll have support from a lawyer (though not necessarily a “GDPR” lawyer), but sometimes you’re solely responsible for negotiating the agreement, including the provisions regarding data processing.

The Data Processing Component

In this issue of the GDPR Guide, we’re writing about what might seem like the obvious. In practice, however, it happens that business process owners—even when they have access to a “GDPR-specialized” lawyer—fail to notice the data processing component in a given contract, ultimately deciding not to involve such a lawyer in the contract review process, particularly when this represents an additional cost for the company. This is a mistake. It is not enough that the contract (or any other document related to a process under your responsibility) does not contain the words “GDPR” or “personal data” for it to be irrelevant to GDPR compliance.

Look for data processing elements in documents and processes

Situations where a “GDPR specialist” should review a contract or document are not always obvious.

Example: You’re the person in charge of implementing a solution that allows employees to report problems, waste, and ideas for workplace improvements. This serves your company’s goals, but to report a problem, employees must log in to an external platform. You probably think that since your company doesn’t transfer any employee data to this external platform, the GDPR isn’t an issue. You don’t even inform the DPO about it. It’s only some time after the solution is implemented that you come up with the idea of organizing a contest for the most submitted ideas. You select the winners, want to announce them to the entire staff, and ask the DPO if this is GDPR-compliant. That’s when various unexpected questions arise from the DPO, such as: how was the contract with the platform provider concluded (via a “traditional” contract or by accepting the terms of service), and how were the roles defined in the data processing of employees reporting issues—is the platform a data processor or a separate data controller for that data? These questions may surprise you, because after all, the platform itself “collects” data from your company’s employees who report issues; besides, it is used “only” for reporting issues, not for processing “real” personal data such as a PESEL number. Therefore, we would like to inform you that in the situation described, it was necessary to consult with a “GDPR” lawyer or the Data Protection Officer beforehand, before your company began using the new platform.

Another example: a contract with a client may also include a provision where the client requires you to provide in advance the ID numbers of all drivers who are to physically deliver the product sold by your company to the client’s premises. You might think this is okay—after all, they’re entering the client’s premises. But is that really the case? What purpose does this serve, and is sharing such data proportionate to the client’s stated purpose? This, again, is a matter for a “GDPR specialist” to consider. Does your company deliver work gloves to vending machines in the customer’s building and, as a result, have access to information showing that John Smith takes, say, 3 pairs of gloves per week? This is also an issue that should be analyzed by a lawyer or the DPO.

Most importantly—be clear about who is who

Once you’ve identified this data processing component in the documents and processes under your control, remember that the most important thing is to be absolutely clear about who is who in terms of whose personal data is involved. This should always be stated in “plain language,” so that no interpretation is needed. Why is this so important? Because the status of a data controller comes with specific obligations, while the status of a data processor comes with different obligations. A precise distinction is essential to prevent future disputes in this regard during “crisis” situations, such as a data breach or the need to comply with a GDPR request, e.g., regarding the provision of copies of data or its deletion. Not a lawyer? Not familiar with the GDPR? If you have the support of a “GDPR” lawyer at your company, the fact that you yourself are not familiar with the GDPR will, in a sense, be to your advantage. You can evaluate the lawyer’s work with a clear, non-legal eye and, before sending a contract reviewed by them to a potential business partner, verify for yourself whether the distinction between who is the controller of whose data and who is “merely” a processor is clear to you. If this isn’t clear to you as a non-lawyer, take the document back to the lawyer who handles your company’s legal affairs and ask for clarification or for the contract to be amended. Such issues should always be spelled out “in black and white” so that every process owner can understand them.

If you don’t understand who is the controller or processor for what—fight for clarity

Remember, sometimes in the heat of hammering out the details, the basics get overlooked. As the business process owner, don’t let it slide—fight for clear provisions on this matter, because if trouble arises, you’ll likely be on the front lines of the GDPR battle

Czytaj także:

Najczęstsze błędy przy zawieraniu umów powierzenia
Administratorem Twoich danych jest ODO 24 sp. z o.o. z siedzibą w Warszawie (03-812) przy ul. Kamionkowskiej 45. Twoje dane są przetwarzane w celu świadczenia usługi biuletyn informacyjny na zasadach określonych w Regulaminie ŚUDE. Więcej informacji na temat procesu przetwarzania danych osobowych oraz przysługujących Ci praw uzyskasz w Polityce prywatności.
Potwierdź swój adres e-mail
Wejdź na swoją skrzynkę pocztową, otwórz wiadomość od ODO 24 i potwierdź adres e-mail, klikając w link.
Jeżeli nie znajdziesz naszej wiadomości - sprawdź w folderze SPAM. Aby w przyszłości to się nie powtórzyło oznacz wiadomość jako pożądaną (klikniknij prawym przyciskiem myszy i wybierz "Oznacz jako wiadomość pożądaną").
Odbierz bezpłatny pakiet 4 poradników
i 4 szkoleń e-learningowych RODO
4x4 - Odbierz bezpłatny pakiet 4 poradników i 4 szkoleń RODO
Administratorem Twoich danych jest ODO 24 sp. z o.o. z siedzibą w Warszawie (03-812) przy ul. Kamionkowskiej 45. Twoje dane są przetwarzane w celu świadczenia usługi biuletyn informacyjny na zasadach określonych w Regulaminie ŚUDE. Więcej informacji na temat procesu przetwarzania danych osobowych oraz przysługujących Ci praw uzyskasz w Polityce prywatności.
Administratorem Twoich danych jest ODO 24 sp. z o. o. >>>