What does the GDPR say on data processing agreements?
The data processor is the person who processes personal data on behalf of the controller.
This is how, building on Directive 95/46/EC of 24 October 1995, the General Data Protection Regulation (“GDPR”) defines a “processor” in its Article 4(8). The GDPR (1) imposes new obligations on processors in order to increase the accountability of those who are usually responsible for manipulating a lot of data on behalf of the controller.
Article 28(3) of the GDPR lays down new obligations which must be reflected in the data processing agreement. These relate mainly to:
- the subject-matter and duration of the processing of personal data;
- the nature and purpose of the processing;
- the obligations of security, warning and alert towards the controller.
What’s the impact for cloud contracts?
For any cloud contract (IaaS, PaaS, SaaS), the above-mentioned obligations of the GDPR regarding data processing may require the following:
- a clause “Representations” containing representations from the controller to the processor regarding all relevant information on the purpose of the processing of personal data made using the means made available by the cloud provider;
- a clause “Instructions” describing the instructions given by the client to the cloud provider and how the cloud provider must apply them;
- a clause “Security” presenting the physical and logical security policy deployed by the cloud provider, in addition to the measures applicable in case of unauthorised intrusion (data breach process); this clause should be associated with an appendix dedicated to a security assurance plan;
- a clause under which the processor agrees to cooperate in the event a data subject wants to exercise his or her rights;
- a clause specifying if, when and how a processor can engage another processor;
- a clause “Confidentiality”, which should guarantee confidentiality not only from the cloud provider’s own employees, but also from any subcontractors or freelancers hired by the cloud provider to assist in the performance of its obligations;
- clauses on the provider’s obligation to inform (in general, and not only in the event of data breach) and the conditions for conducting audits;
- the conclusion of standard contractual clauses (2) if the data are transferred outside the European Union to a country not considered as ensuring an adequate level of protection (if data are transferred to the United States, a specific framework may apply: the EU-U.S. Privacy Shield (3);
- clarifications on the termination of contractual relationships and the destruction of data in the cloud.
Without prejudice to the provisions of the contract, Article 28 of the GDPR allows the processor to adhere to a code of conduct (Article 40) or to a certification mechanism (Article 42) to demonstrate that it provides sufficient guarantees to meet the requirements of the GDPR (Article 28(5)).
Despite those contractual provisions or certification procedures, it happens that a cloud provider manages the data entrusted to it almost autonomously. A cloud provider can hardly be regarded as the controller under the GDPR, but it may be considered a “joint controller” within the meaning of its Article 26. In such situations, insofar as a supervisory authority may decide to change that controller-processor relationship into a joint controllers’ one, the parties would be well-advised to proactively consider them as such and sign a joint controllers agreement reflecting the actual division of liability between them.
- Regulation 2016/679 of 27-4-2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (“GDPR”).
- Chloé Torres, Oriane Zubcevic, Post of 7-12-2016.
- Céline Avignon, Post of 13-7-2016.
Article provided by: Eric Le Quellenec, Attorney-at-law, Member of the Paris Bar