The Personal Data Protection Act currently in force in Poland (the Act) doesn’t include provisions addressed directly to processors (except in Article 31(3) of the Act). This will change on 25 May 2018 with the General Data Protection Regulation (GDPR, the Regulation) coming into force, which will significantly broaden the list of standards addressed directly to processors, significantly increasing the scope of their liability.
The Regulation applies mainly to the processing of personal data connected with activity carried out by a business that has an organisational unit in the EU, whether or not processing takes place there. Yet whether or not a business has an organisational unit in the EU, GDPR will also apply in cases where the processing of personal data of data subjects who are in the EU by a processor involves offering them goods or services, irrespective of whether payment is required from them. It also applies when the monitoring of their behaviour within the EU.
So in practice, data processors that don’t have an organisational unit in the EU, don’t provide services directly to consumers (data subjects) in the EU and don’t monitor data subjects that are in the EU, will not be subject to GDPR.
Higher level of data security guaranteed
Article 28(1) of GDPR states that the controller is required to entrust data processing only to processors that can guarantee technical and organisational measures which meet the requirements of the Regulation, so that they can adequately ensure the protection of the data subjects’ rights. To ensure adequate levels of data protection, a personal data controller should choose processors who can provide the highest guarantees of compliance with GDPR standards. Therefore, data controllers should prefer processors that are subject to GDPR rather than those that are not. This is because processors subject to GDPR are obliged to implement appropriate measures to ensure data security on pain of administrative penalties, regardless of the contractual relationship between processors and controllers. In the case of processors not subject to GDPR, the only guarantee ensuring the implementation of appropriate technical and organisational measures will be contractual liability, which in practice can prove extremely difficult to enforce. It’s difficult to transfer the liability to processors through a contract because a large number of processors not subject to GDPR will use contract templates limiting their data processing liability. A lack of contractual and administrative liability for a breach of GDPR requirements may adversely affect the quality of the services provided, including the security of the data processed.
When choosing a processor that provides appropriate security guarantees, one should bear in mind that choosing a processor that doesn’t comply with GDPR can cost a data controller as much as €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year. This shows that to protect the interests of controllers, it’s recommended to determine each time whether or not a given processor will be subject to GDPR, and to use the services of processors to which the Regulation will apply.
Entrusting data for processing
These considerations have narrowed the circle of recommended processors to those which GDPR will apply to. The second step towards minimising the legal risks associated with entrusting data is to pay attention to the regulations governing the transfer of data to the US. Even if the US processor is subject to GDPR, such entrusting of data will still be considered as ‘transfer of data to a third country’ within the meaning of the Regulation and will involve additional restrictions. However, the fact that a processor is subject to GDPR doesn’t mean that additional restrictions related to data transfer to a third country such as the US won’t apply.
Entrusting data for processing that results in the transfer of such data to the US is admissible if the processor is an active participant in the Privacy Shield programme. IT market leaders such as Google, Microsoft and Amazon in principle participate in the Privacy Shield, but as far as smaller businesses are concerned, special care should be taken. The current list should each time be verified at www.privacyshield.gov. If a given entity doesn’t participate in Privacy Shield, the controller may only transfer personal data to the US if it provides appropriate safeguards. Such can be provided by binding corporate rules, standard data protection clauses, or approved certification mechanism. A data controller who decides to transfer data to the US to an entity that doesn’t participate in the Privacy Shield risks failing to provide the appropriate safeguards referred to above, which may involve a fine of up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year.
In the face of the obligation to choose a processor providing guarantees of compliance with GDPR, data controllers are advised to use the services of those processors that are subject to GDPR. In the case of US processors, these will be the processors that have an organisational unit within the EU; their activities involve the offering of goods or services to data subjects in the EU, irrespective of whether a payment of the data subject is required; or their activities involve the monitoring of behaviour as far as the behaviour takes place within the EU. In turn, when entrusting data to US entities, it’s also important to bear in mind additional risks associated with data transfer to a third country that can be avoided, among others by using services of organisations actively participating in the Privacy Shield programme.