Shared responsibility of subcontractors

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

Throughout the text, processors are referred to alongside data controllers. According to Article 4-8, a processor is "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." It can only act within the framework of a contract or other legal act of the European Union, which reiterates its data protection obligations (Article 28-3).

In September 2017, the CNIL published a Subcontractor's Guide which clarifies its role and nature in the data processing and protection chain.

Despite its precise definition, the term subcontractor can apply to many structures, listed as follows:

“– IT service providers (hosting, maintenance, etc.), software integrators, IT security companies, digital service companies or formerly IT service and engineering companies (SSII) which have access to the data;

– marketing or communications agencies that process personal data on behalf of clients;

– more generally any organization offering a service or provision involving the processing of personal data on behalf of another organization;

– a public body or an association may also be required to receive such a qualification”.

Please note that when processing data on its own behalf (e.g., personnel management), the subcontractor is responsible for the processing. This is also true if it determines the purpose and means of processing itself.

In case of doubt about the status – data controller or processor – the CNIL refers to the opinion of 16 February 2010 of the European supervisory authorities, which indicates a set of clues which can be used:

– the autonomy of the service provider in carrying out its service;

– monitoring of the service;

– the added value, i.e. the expertise, provided by the service provider;

– the degree of transparency regarding the use of a service provider (is their identity known to the people concerned who use the client’s services?).

Under the GDPR, the processor is jointly responsible. It "assists the controller in ensuring compliance with the obligations" (Art. 28-3f). It keeps a "register of all categories of processing activities carried out on behalf of the controller" (Art. 30-2). And, most often, it must also appoint a data protection officer (Art. 37), which we will come back to later.

The CNIL specifies in its guide what is meant by the “sufficient guarantees” that the subcontractor must provide in order to be able to carry out its work:

– transparency and traceability (contract, instructions, register and all information necessary to prove compliance with obligations);

– data protection from design and by default (minimal processing, related to the purpose and only that purpose, limited duration);

– security of the data processed (confidentiality, notification in the event of a data breach, deletion or return of data at the end of the service);

– assistance, alert and advice.

If the subcontractor also subcontracts, they must first obtain written authorization from the data controller (Art. 28-2). This second subcontractor is subject to the same obligations, even if they are established outside the European Union. If they fail to comply with them, the first subcontractor is held liable. In other words, in the event of a problem, one cannot excuse oneself by citing the location of a service provider in Morocco or Singapore to justify processing that does not comply with the GDPR.

The CNIL recommends modifying current contracts, through amendments, in order to include the mandatory clauses provided for by the European regulation.

If a subcontractor operates in several EU countries, a one-stop shop is possible. Article 56-1 provides that the "lead authority" will be that of the main establishment. If a subcontractor does not have an establishment in the EU, it must then appoint a representative, who will be the contact person for the data subjects and the supervisory authorities.

The sanctions applied to a subcontractor in the event of failure to meet its obligations can be as severe as those imposed on a data controller.