Chapter 18 (Outsourcing) Flashcards
What is then most logical way of applying the controller and processor roles to an outsourcing relationship?
To treat the customer as the controller an the supplier as the processor.
What are the practical implications of treating the controller as the customer and the supplier as the processor in an outsourcing relationship?
- Determining the purpose and means of the processing
- Imposing legal obligations
Aside from the strict contractual relationship, the GDPR establishes 13 direct legal obligations for processors. These obligations exist irrespective of an outsourcing contract’s contractual provisions. List the 13 obligations.
- Article 27: a non-EU based processor that falls within the scope of the GDPR must appoint an EU rep
- Article 28: must not engage another processor without the prior specific or general written authorization of the controller
- Article 28(3): processing must be governed by a written contract or other legal act binding on the processor with regard to the controller
- Article 28(4): Any subprocessors must be governed by a contract with the same data protection obligations set out in the processor’s contract with the controller
- Article 29: a processor, subprocessors, or any person acting under their authority must not process personal data except on instructions form the controller unless required to do so by EU or member state law
- Article 30(2): a processor or its rep must maintain record of its processing activities carried out on behalf of the controller
- Article 31: a processor or its rep must cooperate with the DPA
- Article 32: must implement appropriate technical and organizational security measures relative to the risks that arise from processing to ensure personal data is protected
- Article 33: must notify the controller without undue delay after becoming aware of a personal data breach
- Article 37: sets our circumstances where processor must appoint a DPO
- Article 38: lays out what a processor must provide to a DPO to ensure the DPO can do its job
- Article 44: must comply with conditions set out in the GDPR for international transfers of personal data
- Article 49: when processing based on legit interests of controller, an assessment of all the circumstances and adoption of suitable safeguards to protect the data transferred must be carried out and documented
Under Article 27 of the GDPR, a non-EU processor that falls within the scope of the GDPR doesn’t need to appoint an EU rep if the processing meets what 3 criteria?
The processing is
1. Occasional
2. Doesn’t include on a large scale processing of special categories of data or personal data relating to criminal convictions and offenses
3. And is unlikely to result in a risk to the rights and freedoms of individuals
The written record obligation imposed on processors under Article 30(2) doesn’t apply if a processor employs fewer than 250 employees unless one of what 3 conditions is present?
The processing conducted
1. Is likely to result in a risk to the rights and freedoms of data subjects
2. Isn’t occasional
3. Or includes special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offenses referred to in Article 10
Under Article 32 of the GDPR, a processor must implement appropriate technical and organizational security measures relative to the risks that arise from processing to ensure personal data is protected. These measures can include what 4 things?
- Pseudonymisation and encryption
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services
- Effective backup and disaster recovery processes
- Regular review of the security measures applied to the processing to ensure they remain appropriate
Under Article 37 of the GDPR, what 2 circumstances require a processor to appoint a DPO?
- Its core activities consist of processing operations that require regular and systemic monitoring of individuals on a large scale, or
- Its core activities involve processing of sensitive data or data on criminal convictions on a large scale
Under Article 38 of the GDPR, a processor must ensure what 3 things for their DPO?
- The DPO is involved in all issues relating to protection of personal data and must provide the necessary support to the DPO
- They are able to act independently
- That any other tasks of a DPO do not result in a conflict of interests
In an outsourcing relationship is it common for the supplier to take an active role in making certain decisions about the processing?
Yes, due to their expertise however they can’t go beyond their mandate from the customer, i.e. the controller
For suppliers that use AI to provide their services, what is the crucial factor when determining whether the development of AI is undertaken in a processor capacity?
The extent to which a supplier may or may not have an interest in the underlying personal data used for AI development purposes other than to provide services to its clients.
Modern outsourcing is hardly ever limited to a relationship between two parties. Describe the 3 part model outsourcing arrangements generally follow.
- Within a corporate group, operating companies established in different jurisdictions rely on a procurement entity within the subgroup of companies to procure data processing services
- The procurement entity appoints a particular supplier as a prime contractor for the relevant data processing services
- The supplier then subcontracts some of those services to other entities within its group of companies or external third parties
Vetting employees is an obligation linked to organizational security measures. This obligation may require to the supplier to ensure what 3 things?
- The reliability of any employees and subcontractor personnel who have access to the customer personal data
- All employees and subcontractor personnel involved in the processing of personal data have undergone adequate training in the care, protection, and handling of it
- All employees and subcontractor personnel perform their duties strictly in compliance with the applicable confidentiality provisions under the contract by treating such customer personal data as confidential info
In addition to the basic obligations previously set out under the GDPR the outsourcing contract must include provisions that require the supplier to do what 6 things?
- Comply with the obligations imposed on the processor by the GDPR re appointing other processors
- Assist the controller by implementing appropriate technical and organizational measures to enable controller to respond to individuals exercising their rights under the GDPR
- Assist the controller in ensuring compliance with the obligations set out in Articles 32-36 of the GDPR (data security, breach notification, DPIAs)
- At the choice of controller, deletes or returns all personal data to the controller after the end of the provision of services, and deletes existing copies unless EU or member state law requires storage of the personal data
- Makes available to the controller all info necessary to demonstrate compliance with Article 28 of the GDPR
- Allows for and contributes to audits by the controller or an auditor appointed by the controller
Where the outsourcing relationship is likely to involve a chain of processors and subprocesors the contract between the controller entering into the outsourcing contract and the main supplier should take place subject to what 4 conditions?
- The customer must provide prior specific or general written authorization to the supplier re the engagement of a subprocessor
- In the case of general written authorization, the processor must inform the controller of any intended changes that concern the addition or replacement of other subprocessors, giving the controller the opp to object to such changes
- The processor has an obligation to impose the same contractual obligations applicable to it onto any subprocessor
- The main supplier must remain liable to the customer for any breach of the subprocessor
