First Fine Imposed On A Data Processor Under GDPR
Recently, the first fine was imposed by an EU data protection authority against a data processor under the General Data Protection Regulation 2016 (“GDPR”). Although the non-compliance took place in Italy and the fine was only for EUR 50,000, it’s a timely reminder to data processors here in the UK of their direct statutory obligations under the new data protection regime.
Prior to the GDPR, the position in the UK (and a number of EU Member States) was that only data controllers were subject to statutory obligations under data protection law. Data processors, on the other hand, were not at risk unless they breached their obligations under contract law (i.e. any contractual data protection obligations imposed upon them by the data controller).
The GDPR changed all this this by imposing certain direct statutory obligations on data processors at an EU-wide level. This means that data processors, as well as data controllers, are subject to the enforcement regime set out in the GDPR (including the potentially eye-watering fines). It also means that data subjects may be able to bring direct claims for compensation against data processors.
The main statutory obligations that apply to data processors under the GDPR are:
- You must only process personal data in accordance with the data controller’s instructions (unless otherwise required by law). If you act outside your instructions, you will become a controller for the purposes of that processing.
- You must enter into a binding contract with the data controller and that contract must contain certain mandatory provisions.
- You must not appoint a sub-processor unless you have the authority of the data controller. Also, any contract with a sub-processor must include contract terms that offer an equivalent level of protection for the personal data as those in the contract between you and the data controller.
- You must implement appropriate technical and organisational measures to ensure the security of personal data (taking into account, in each case, the level of risk involved in the processing).
- You must notify the data controller of any personal data breaches without undue delay.
- You may need to keep records of the processing you carry out and/or appoint a data protection officer. Both these obligations only apply if certain criteria are met.
- You can’t transfer personal data outside the EEA unless the transfer (i) is authorised by the data controller and (ii) complies with the provisions of the GDPR relating to international transfers of personal data.
In the Italian case, the data processor’s non-compliance related to the failure to implement appropriate technical and organisational security measures to protect personal data. The Italian data protection authority (the Garante) issued specific requirements regarding the security measures that the data processor needed to implement and issued a fine when the data processor failed to comply. Interestingly, the Garante only fined the data processor, not the data controller.
If you’d like more information about the direct statutory obligations imposed on data processors under the GDPR or if you need guidance to work out whether your business is acting as a data processor, please contact a member of our Commercial Team.