The Data Processing Component
In this issue of the GDPR Guide, we’re writing about what might seem like the obvious. In practice, however, it happens that business process owners—even when they have access to a “GDPR-specialized” lawyer—fail to notice the data processing component in a given contract, ultimately deciding not to involve such a lawyer in the contract review process, particularly when this represents an additional cost for the company. This is a mistake. It is not enough that the contract (or any other document related to a process under your responsibility) does not contain the words “GDPR” or “personal data” for it to be irrelevant to GDPR compliance.
Look for data processing elements in documents and processes
Situations where a “GDPR specialist” should review a contract or document are not always obvious.
Example: You’re the person in charge of implementing a solution that allows employees to report problems, waste, and ideas for workplace improvements. This serves your company’s goals, but to report a problem, employees must log in to an external platform. You probably think that since your company doesn’t transfer any employee data to this external platform, the GDPR isn’t an issue. You don’t even inform the DPO about it. It’s only some time after the solution is implemented that you come up with the idea of organizing a contest for the most submitted ideas. You select the winners, want to announce them to the entire staff, and ask the DPO if this is GDPR-compliant. That’s when various unexpected questions arise from the DPO, such as: how was the contract with the platform provider concluded (via a “traditional” contract or by accepting the terms of service), and how were the roles defined in the data processing of employees reporting issues—is the platform a data processor or a separate data controller for that data? These questions may surprise you, because after all, the platform itself “collects” data from your company’s employees who report issues; besides, it is used “only” for reporting issues, not for processing “real” personal data such as a PESEL number. Therefore, we would like to inform you that in the situation described, it was necessary to consult with a “GDPR” lawyer or the Data Protection Officer beforehand, before your company began using the new platform.
Another example: a contract with a client may also include a provision where the client requires you to provide in advance the ID numbers of all drivers who are to physically deliver the product sold by your company to the client’s premises. You might think this is okay—after all, they’re entering the client’s premises. But is that really the case? What purpose does this serve, and is sharing such data proportionate to the client’s stated purpose? This, again, is a matter for a “GDPR specialist” to consider. Does your company deliver work gloves to vending machines in the customer’s building and, as a result, have access to information showing that John Smith takes, say, 3 pairs of gloves per week? This is also an issue that should be analyzed by a lawyer or the DPO.
Most importantly—be clear about who is who
Once you’ve identified this data processing component in the documents and processes under your control, remember that the most important thing is to be absolutely clear about who is who in terms of whose personal data is involved. This should always be stated in “plain language,” so that no interpretation is needed. Why is this so important? Because the status of a data controller comes with specific obligations, while the status of a data processor comes with different obligations. A precise distinction is essential to prevent future disputes in this regard during “crisis” situations, such as a data breach or the need to comply with a GDPR request, e.g., regarding the provision of copies of data or its deletion. Not a lawyer? Not familiar with the GDPR? If you have the support of a “GDPR” lawyer at your company, the fact that you yourself are not familiar with the GDPR will, in a sense, be to your advantage. You can evaluate the lawyer’s work with a clear, non-legal eye and, before sending a contract reviewed by them to a potential business partner, verify for yourself whether the distinction between who is the controller of whose data and who is “merely” a processor is clear to you. If this isn’t clear to you as a non-lawyer, take the document back to the lawyer who handles your company’s legal affairs and ask for clarification or for the contract to be amended. Such issues should always be spelled out “in black and white” so that every process owner can understand them.
If you don’t understand who is the controller or processor for what—fight for clarity
Remember, sometimes in the heat of hammering out the details, the basics get overlooked. As the business process owner, don’t let it slide—fight for clear provisions on this matter, because if trouble arises, you’ll likely be on the front lines of the GDPR battle