One of the first steps for businesses which process personal data should be reviewing all existing contracts with suppliers to see if they are handling personal data properly. Many firms hold vast amounts of personal data on their clients. Should a data breach occur, the regulator can impose a fine of up to 4% of global turnover or €20m. Undertaking a thorough review of how you currently process and hold data and who are you dealing with should be a priority for every firm right now, to ensure that you don’t fall foul of the new law. If you haven’t started yet – don’t panic. There is still time to plan and implement a compliance programme.
Such a risk exists, for example, in a situation where a contract for HR or payroll services is signed with an outsourcing firm and where such a contract involves the transfer of personal data processing to that firm. According to GDPR, "processor" means any entity which processes personal data on behalf of the controller. Both the data controller and the data processor are obliged to comply with GDPR requirements.
, and the most controversial, obligation is the selection of data processors who will ensure sufficient compliance with the GDPR requirements and will protect the rights of people. According to GDPR it is the data controller who is responsible for assessing whether a particular service provider has adopted the technological and organisational means necessary for this purpose.
How can the data controller verify whether a supplier meets the above conditions? GDPR suggests that the data controller should carry out an audit of this supplier. In practice, it may prove very difficult to achieve, especially if a company uses the services of many outsourcing firms.
Also the processor should take appropriate steps towards ensuring compliance by demonstrating that it observes the approved industry or professional code of conduct or by obtaining a relevant data processing compliance certificate. As of now, Polish law does not provide for any system of certificates that would confirm compliance with the requirements regarding the processing and protection of personal data. However, GDPR and the draft Personal Data Protection Act envisage a relevant certification procedure.
obligation of the data controller (while outsourcing the service to an outsourcing firm) is to sign a proper contract (or amend the existing contract). The contract should sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, and the rights and obligations of the data controller.
According to GDPR, the contract should stipulate, in particular, that the processor:
- processes the personal data only on documented instructions from the controller;
- ensures that persons authorised to process the personal data have committed themselves to confidentiality;
- takes all measures required to ensure the security of data processing;
- insofar as this is possible, assists the controller by appropriate technical and organisational measures for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in GDPR (e.g. the right to be forgotten, the right of data portability);
- assists the controller in ensuring compliance with the obligations regarding the security of processing, notification and communication of a personal data breach, data protection impact assessment and prior consultation;|
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in the relevant GDPR article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
It is worth mentioning that, the EU Commission and the supervisory authorities will be authorised to present standard clauses which will help to draft personal data processing contracts. According to the current draft of the new Personal Data Protection Act, the Polish supervisory authority may issue codes of good practices setting out guidelines as to how to align business processes with GDPR requirements.
Businesses which hire data processors should take appropriate steps as soon as possible in order to avoid the situation in which their suppliers are not able to ensure compliance with the GDPR requirements. Besides the risk of personal data breach, companies are also exposed to the risk of a regulatory fine amounting to the higher of up to EUR 10,000,000 or up to 2% of the company's total worldwide turnover. The same sanction may apply if the company fails to sign a contract for the processing of personal data or signs such a contract in contravention of GDPR requirements. In such a case, the sanction may be imposed on both the data controller and the data processor.