The May 18th, 2018 deadline to become GDPR compliant draws ever-closer as every EU business races to double and triple check that they’ve made the necessary updates. In this third and final section of our compliance checklist overview (check out section one and section two if you missed them), we’ll finish out by covering new requirements within contracts with data processors, as well as the extremely important topic of international data transfers.

Vendor Management

Current Data Responsibilities

Under the current Data Protection Directive in the EU, data controllers (i.e. the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data) instruct data processors (i.e. natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller) on how they can process personal data. Data processors can only handle data in the manner that data controllers put forth with guarantees of adequate protection of the data.

Updated Data Responsibilities

As is the theme with all updates in the GDPR, the responsibilities of both the controller and the processor are greatly increased. The power balance, and therefore the burden of responsibility and liability, between the controller and processor shifts towards the controller under the GDPR. This shift may cause many data controllers to take a second look at their vendor agreements to make sure they will still be 100% compliant after May 18th.

Controller Liability

Since the definition of a controller stipulates that they dictate the data processing activities, controllers are now saddled with the responsibility of ensuring that data processing activities are compliant with GDPR regulations (Article 24). They not only have to put measures in place that will keep their data processes compliant, they also must be able to demonstrate these measures’ efficacy.

Responsibilities of data controllers:
  • They must perform data protection impact assessments when the type of data processing is running a high risk to the rights and freedoms of the people involved
  • Guaranteeing the protection of data subject rights, reporting and notice requirements, and preserving processing records
  • Alerting the supervisory authority of any data breaches and consulting with them before processing data

While the GDPR increases the burden on controllers in many ways, it also relieves them of the duty of registering their processing activities with a Data Protection Authority (DPA) in each member state. The GDPR instead stipulates that controllers must maintain their own detailed processing records.

When selecting a processor, controllers are required to only choose those who provide sufficient assurances of their ability to meet the requirements of the GDPR. The current directive is largely silent on gaining explicit guarantees of processor data protection so controllers may need to alter the current terms of their contracts with processors to ensure they are covered under the GDPR.

Essentially, the GDPR is pushing for controllers to start designing products and processes with privacy at the forefront of production instead of being added later as an afterthought. This idea will take some time to firmly take root and will possibly be met with some initial hostility, but it should keep people’s personal data safer in the long run.

Processor Liability

The processor essentially acts as a tool of the controller, processing data according to the controller’s directions. If the processor acts outside the authority granted by the controller, however, the processor is seen as a controller in its own right and legally treated as such.

Beyond the stipulations in the controller-processor contract, processors are responsible for the following:

  • Implement necessary technical and organizational measures in compliance with the GDPR
  • Delete or return processed data to the controller upon completion
  • Adhere to specific conditions when engaging other processors
    • i.e. processors aren’t allowed to sub contract other processors without written consent from the controller
  • Keep records of all categories of personal data processing carried out on behalf of the controller


International Data Transfers

The current rules for the transfer of data to a third country or international organization are similar to those put forth in the GDPR in terms of the approval process with the European Commission (EC). Countries with an adequate level of personal data protection laws are given the go-ahead by the European Commission and are henceforth permitted to receive personal data from the EU. Without the decision of adequacy by the EC, certain circumstances, such as standard contractual clauses or binding corporate rules (BCRs), still allow for the international transfer of data.

For more info on the effect the GDPR will have on Binding Corporate Rules, consult this guide: EU Regulation Binding Corporate Rules Under the GDPR—What Will Change?

Chapter V of the GDPR, which spans articles 44 through 49, covers all things cross-border personal data transfer. The articles cover the following:

  • Article 45: Conditions for transfers with an adequacy decision
  • Article 46: Conditions for transfers through appropriate safeguards in the absence of an adequacy decision
  • Article 47: Conditions for transfers through BCRs
  • Article 48: Addresses situations in which foreign administrators order transfers not otherwise permitted by the GDPR
  • Article 49: conditions for derogations in specific situations in the absence of an adequacy decision or appropriate safeguards

These articles represent the data controller and processor’s choices of international data transfers under the GDPR from most to least convenient.

Adequacy Decision

Under the GDPR, once a country or international organization is deemed “adequate” by the European Commission, personal data is permitted to be transferred out of all EU member states. The definition of “adequacy” as it pertains to a third countries data protection policy under the purview of the GDPR is essentially equivalency. In other words, a third country or international organization’s data privacy policy has to be up to the standard of the GDPR, otherwise, the adequacy rule doesn’t apply.

Adequacy decisions are also subject to periodic review to ensure the third party is maintaining the data privacy standards with which they were initially approved.

Appropriate Safeguards

In the absence of an adequacy designation, data transfers are still permitted to a third country with one of the following appropriate safeguards:

  • A legally binding and enforceable instrument between public authorities or bodies
  • Binding Corporate Rules (BCRs) in accordance with article 47
  • Standard data protection contractual clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93
  • Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93
  • An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards in regards data subject’s rights
  • An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply to the appropriate safeguards in regards to data subject’s rights

Conditions for Derogations

Another option for instances where a third country lacks an adequacy distinction is the derogations set out in Article 49. These derogations apply when:

  • The data subject has explicitly consented to the transfer after having been informed of the risks
  • The transfer is necessary for the performance of a contract between the data subject and the controller
  • The transfer is necessary for the conclusion of a contract in the interest of the data subject between the controller and another legal person
  • The transfer is necessary for important reasons of public interest
  • The transfer is necessary for the establishment, exercise or defense of legal claims
  • The transfer is necessary to protect the vital interests of the data subject or of the other persons, where the data subject is physically or legally incapable of giving consent
  • The transfer is made from a register that, according to EU or member state law, is intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest. This is only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case

Hopefully this guide (along with the first and second parts) will help you in this massive shift in the rules and regulations surrounding how business entities handle the sensitive personal information of the public.

For more info on the GDPR, and other data-related issues, check out these helpful articles: