Manager and subcontractor: who is liable?

Legal Watch No. 39 – September 2021

Manager and subcontractor: who is liable? Many data controllers use subcontractors, whether in human resources management, advertising targeting or data security.

The use of a subcontractor is not insignificant with regard to the GDPR, which specifies and reinforces the respective responsibilities of the different actors.

When do we talk about subcontracting?

The CNIL mentions a series of organizations for information purposes:

• IT service providers (hosting, maintenance, etc.), software integrators, IT security companies, digital service companies,
• Marketing or communications agencies that process personal data on behalf of clients and
• More generally, any organization (public or private) offering a service or provision involving the processing of personal data on behalf of another organization.

Software publishers or hardware manufacturers (badge reader, biometric equipment, medical equipment) who do not have access to and do not process personal data are not considered subcontractors.

Responsibility of the subcontractor reinforced by the GDPR

The European regulation aims to make all stakeholders involved in the processing of personal data more accountable in a more balanced way.

Subcontractors, in particular, are seeing their role evolve towards greater proactivity: they no longer simply follow the instructions of the controller, but must, under Article 28 of the GDPR, assist them in their ongoing compliance process: impact analyses, breach notification, security, data destruction, contribution to audits.

Who is liable? What are the risks for the data controller?

Before the GDPR came into force, the data controller had to account for the actions of its subcontractor: the latter had to provide sufficient guarantees to ensure the implementation of data security and confidentiality measures, but it was the responsibility of the data controller to ensure compliance with these obligations: "the circumstance that a data breach may have originated from an error committed by a subcontractor has no influence on the obligation on the data controller to ensure rigorous monitoring of the actions carried out by the latter", as evidenced by a CNIL deliberation of September 6, 2018, imposing a financial penalty on the data controller.

Although the GDPR does not relieve the data controller of its own obligations, it provides for increased liability for the subcontractor.

This was clarified by the CNIL this year, in its first decision dating from January 2021.

In a credential stuffing* case, the manager and subcontractor took more than a year to implement the tool to detect and block attacks on the website.

The manager was fined 150,000 euros, and the subcontractor 75,000 euros.

The CNIL specifies that "the data controller must decide on the implementation of measures and give documented instructions to its subcontractor. But the subcontractor must also seek the most appropriate technical and organizational solutions to ensure the security of personal data, and propose them to the data controller."

First of all: clearly establish roles and responsibilities in a contract

This contract may be based, in whole or in part, on standard contractual clauses (SCCs).

Since 2019, three European data protection authorities (Danish, Slovenian, and Lithuanian) have adopted SCCs on processors, on which the European Data Protection Board (EDPB) has issued an opinion. On June 4, 2021, the European Commission published its Standard Contractual Clauses (SCCs) between controllers and processors under the GDPR and Regulation (EU) 2018/1725.

The CNIL also provides examples of contractual clauses in its subcontractor guide.

The contract must define:

• The purpose and duration of the service
• The nature and purpose of the processing
• The type of personal data processed
• Categories of persons concerned
• The client's obligations and rights as data controller
• The obligations and rights of the subcontractor as provided for in Article 28 of the GDPR

The subcontractor is in particular bound by the following obligations:

• Appoint a data protection officer, if it is an authority or a public body, if it carries out regular and systematic monitoring of individuals on a large scale or processes on a large scale so-called "sensitive" data or data relating to criminal convictions and offenses.
• Document your subcontracting activities and keep a register of processing operations
• Offer tools that respect personal data (e.g., personal information interface, unsubscribe link)
• Help the data controller respond to requests to exercise individuals' rights
• Ensure the security of the data collected.

Security issues are among those that most often give rise to breaches and disputes. The data controller is therefore advised to:

• To require the service provider to communicate its information systems security policy;
• To ensure and document the effectiveness of the guarantees offered by the subcontractor in terms of data protection.
• To verify the effectiveness of the measures, for example through security audits or a visit to the facilities.

* Credential stuffing is a type of cyberattack where stolen account information, typically consisting of lists of user IDs and associated passwords (often obtained fraudulently), is used to gain unauthorized access to user accounts through large-scale automated login requests to web applications.

And also

France:

There Data leak from the Paris Public Hospitals (AP-HP) concerning 1.4 million people tested for COVID-19 in mid-2020 has been notified to the CNIL. The Commission and the government have published an information note for the people concerned.

ANSSI publishes recommendations concerning the security of connected objects.

A monitoring and protection service against foreign digital interference (Viginum) was created by decree on July 13. Its mission is to detect and analyze content hostile to France on digital platforms, orchestrated from abroad.

Instant messaging is private correspondence : in a judgment of July 23, the Meaux Industrial Tribunal decided that the Eurodisney company could not dismiss an employee on the basis of a conversation on Messenger to which it was not authorized to access, even if this messaging service was not password protected.

Europe:

The European Commission announced on September 15 a legislative initiative concerning the cybersecurity of connected objectsThis will complement the proposed NIS2 directive on network security.

After more than a year of negotiations, The United States and Europe have not yet reached an agreement on transatlantic data transfersThese talks aim to resolve the legal vacuum left by the Schrems II ruling of the European Court of Justice annulling the Privacy Shield.

However, there are efforts at cooperation, for example in the field of artificial intelligence and the regulation of platforms distributing illegal content online.

This is what emerges from the inaugural communiqué of the EU-US Trade and Technology Council of September 29.

Since September 27, data transfers to a country outside the European Union considered not to provide an adequate level of protection must be based on the modernized version of the standard contractual clauses of the European Commission, published on June 4.

The European Data Protection Supervisor published on 24 September an opinion on the European Commission's proposal concerning the fight against money laundering, in which he emphasizes the principles of necessity and proportionality of the personal data collected.

The Belgian authority published on September 23 a notice concerning the extension of the use of the Covid Safe Ticket to places and events of daily life.

It recalls the obligation to demonstrate the necessity and proportionality of this “health pass” and the interference with private life that it implies.

The Irish authority is still considered in data protection circles as the bottleneck when it comes to GDPR compliance..

Let us nevertheless note his communication of September 17, joint with the Italian authority, concerning theimpact of Facebook glasses video and photo functions in matters of privacy.

At the same time, The Norwegian authority announced its decision to no longer use Facebook for its communications, following a data protection impact assessment.

THE Ministry of Defence of Lithuania recommended in a communication dated September 21 not to use the Chinese phones such as Xiaomi Corp which integrates software to detect and censor certain messages.

International :

The first G7 of data protection authorities brought together on September 7 and 8 the authorities of France, Italy, Canada, Britain, Germany, Japan and the United States, under the presidency of the United Kingdom.

The authorities discussed international data protection issues, including cross-border data flows, issues related to the pandemic and the development of artificial intelligence.

Uruguay, considered by the European Union as a country guaranteeing an adequate level of protection of personal data, has updated its own assessment of the countries to which data transfer is legally possible.

This assessment excludes the United States countries with an adequate level of protection.

Data transfers between Uruguay and the United States will now have to provide specific guarantees, such as compliance with appropriate contractual clauses.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.