The agreement itself is not a novelty. It has been required by national laws (and the directive) for years. However, the regulation was, at least in the Czech Republic, very limited (basically governed by a single paragraph of Section 6 of the Czech Personal Data Protection Act). In compliance with the said paragraph, personal data processing agreement must be made in writing, it shall explicitly stipulate the scope, purpose and period of time for which it is concluded and must contain guarantees by the processor related to technical and organisational securing of the protection of personal data.
Following these minimalistic requirements there was not much importance given to such contracts by controllers and processors. Moreover, obligation to have such agreement, governing relationship between the controller and its processor, was quite often ignored or, at least, underestimated. One of the reasons was, there was no sanction connected with breach of Section 6 of the Personal Data Protection Act.
This is going to be changed soon with the effectiveness of GDPR. Not only does it significantly extend the content requirements, the breach of obligations of the controller or the processor under Article 28 of the GDPR amounts to an infringement sanctioned with the administrative fine of up to EUR 10,000,000 or 2% of the global annual turnover in accordance with the Article 83 (4) point (a) of the GDPR.
How do the controllers and processors react on the change? Quite often, they apply the quickest and (on the first sight) simplest solution - they copy and paste the wording of GDPR's Article 28 to fulfil the requirements of the regulation. But do controllers and (especially) processors give the second thought to all the obligations they are entering into?
Let's focus on some provisions of Article 28 (3) of the GDPR. For example, under point (e) the contract between the controller and processor shall stipulate that the processor, taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III (of the GDPR). Now imagine that this general provision will be implemented without any change into a data processing agreement between a cloud service provider and a company making tires. Both parties will be satisfied that they are compliant with Article 28 of the GDPR and that they have everything formally covered. But what would be the real impact on the data processed by the processor for the controller?
Let's imagine that the controller uses cloud-based CRM system storing the personal data of the controller's customers in the cloud provided by the processor. Then, one day, one former employee requests the controller not to be evidenced by the controller as a contact person of its former employer anymore. Now, the controller forwards this request to the cloud service provider with the instruction that it needs to erase Mr. XY from all its databases connected to the CRM system. The cloud service provider logically replies that it cannot even recognise the data stored in the cloud by the controller and that deletion should be performed by the controller. The controller, however, insists, emphasising that the cloud service provider is the expert in the area and the controller's employees do not know how to erase all data properly. And, what might be crucial, under the data processing agreement the processor undertook to assist the controller in such situations. Our description will stop here so not to enter into sheer fable.
The point is that such "regular" situation may lead to serious conflicts between the controller and the processor. The wording of the provision in question is so general that it is clearly open for interpretation even to the point when controller will expect the processor to respond to requests of the data subject's, i.e. the pure copy and paste procedure may result in situation, when the processor takes over the factual fulfilment of all (or most) of the controllers obligations (or that the controller may interpret it that way).
This contemplation leads to another problematic point - the scope of the data processing agreement. The GDPR explicitly states that the contract "shall stipulate, in particular, that the processor....". The regulation insists that every processor shall undertake to process the personal data only on documented instructions from the controller, assist controller with several of its obligations, allow for and contribute to audits and so on. This naturally applies also to the cloud service providers, who mostly have their contracts designed as standard form contracts. As a cloud service provider, most of the clients will expect that the provider is an expert in this field. This puts cloud service providers and other processors which are professionals in their field, under bigger pressure. The controllers are likely to engage them based on their expertise.
Under Section 5 (2) of the Czech Civil Code, "a person who offers professional performance as a member of an occupation or profession, whether publicly or in dealings with another person, demonstrates his ability to act with the knowledge and care associated with his occupation or profession. If the person fails to act with such professional care, he bears the consequences." Following this, Section 2950 thereof states that "A person who offers professional performance as a member of a vocation or profession, or otherwise acts as an expert, shall provide compensation for damage caused by his provision of incomplete or incorrect information or harmful advice provided for consideration in a matter related to his expertise or skill."
It is important to emphasize that especially the word "assist" used in Article 28 of the GDPR is very broad. It seems highly desirable, to specify the form of assistance in the agreement in accordance with the nature of the processing.
To sum up the above stated, the cloud service providers and other processors should be very careful, how they formulate their obligations under data processing agreements in order to prevent any misunderstanding of their obligations towards the controllers (and possible liabilities arising from such misunderstandings). Especially, they should make sure the controllers understand not only the scope of services they are to receive, but also the scope of personal data protection, which is not provided by the processor (at least not free of charge).
This brings us to another topic - GDPR does not prevent the processors to provide assistance and other obligations under the processing agreement for a charge. For example, under point (h) of article 28 (3) of the GDPR, the processor makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in the article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
This is an obligation, where costs of an inspection should be clarified in the data processing agreement in order to prevent any arguments. Both sides can say that the cost should be borne by the other - the controller may say that since it is the processor's obligation, the costs should be on its side; the processor may argue that the controller initiated the audit and so it should pay for it. The argument may lead even to the court proceedings. As such, it is very important to clarify the issue of covering the costs. Especially, when some of the services represent realisation of the data subjects' rights, which the controller must ensure for free.
From personal data protection agreement viewpoint, GDPR brings a lot of challenges. From the necessity to amend the existing ones (which from the scope, specificity, etc.) do not comply with GDPR, up to finding a functional balance between the formal and (unfortunately) not realistic expectations of its Article 28 and the real life. In any case - signing a personal data processing agreement will not anymore be a formal step since May 2018.
Article provided by: Ivana Nemčeková and Tomáš Nielsen (NIELSEN MEINL, advokátní kancelář, s.r.o. / Czech Republic)