Entrusting the processing of personal data according to the GDPR - rules


Almost every entrepreneur in the course of his business uses the services of third parties, outsourcing specific tasks. Regardless of whether it is accounting companies, marketing agencies, an external personal data protection inspector or an IT specialist building a database on the basis of information sent by the entrepreneur, the entrepreneur provides these entities with the data of natural persons stored by them. Due to the fact that they are subject to strict protection, it is necessary to complete the formalities related to entrusting the processing of personal data.

The choice of the processor cannot be accidental

If the entrepreneur-data controller uses the services of another entity, transferring his personal data to him, the processing of these data is usually entrusted. The GDPR imposes an obligation on the controller to exercise due diligence when selecting processors - the controller should select those that:

 "Provide sufficient guarantees - in particular in terms of expertise, reliability and resources - of the implementation of technical and organizational measures that meet the requirements of the Regulation, including the requirements of security of processing" (Recital 81 GDPR). A processor within the meaning of the provisions of the GDPR (provision of Article 4 (8) of the Regulation) is any natural or legal person, public authority, entity or other entity that processes personal data on behalf of the controller. Entrusting the processing of personal data requires compliance with the procedure specified in the provisions of the GDPR, primarily in the context of the need to conclude a processing entrustment agreement, specifying in detail the obligations imposed on the processor (more on this below). However, not in every case processing will be entrusted, even if more entities will participate in data processing - if two entities jointly decide on the purposes and scope of data processing (e.g. as part of a jointly conducted project), there will be co-administration. In such a situation, two entities will be joint data controllers and there will be no need to conclude a data processing agreement. The joint administrators will have to conclude a separate agreement, relying on the provision of art. 26 GDPR, in which they will make arrangements regarding the scope of their responsibility related to the fulfillment of obligations under the provisions of the GDPR.

Entrusting the processing of personal data is subject to the requirements of the GDPR

The regulation requires that entrusting the processing of personal data takes place on the basis of an agreement concluded between the data controller and the processor. In practice, this agreement may constitute an annex to the agreement concluded between these entities and regulating the principles of their cooperation.

The contract must specify:

  • the subject of processing (i.e. precise indication of what data is processed on the basis of the main contract concluded between the parties);

  • the duration of the processing (the processing period will result primarily from the main contract regulating the relationship between the parties);

  • the nature and purpose of the processing;

  • type of personal data;

  • categories of data subjects;

  • administrator duties and rights.

The processing agreement should be in writing. The GDPR also allows the conclusion of the contract in electronic form. The most important part of the contract will be the obligations imposed on the processor. Pursuant to the provision of Art. 28 GDPR, the processing entrustment agreement should specify that the processor:

  1. processes personal data only on a documented instruction of the controller - which also applies to the transfer of personal data to a third country or an international organization - unless such an obligation is imposed on it by EU law or the law of a Member State to which the processor is subject;

  2. ensures that persons authorized to process the personal data have committed themselves to secrecy or are under an appropriate statutory obligation of secrecy;

  3. takes appropriate data security measures (in accordance with Article 32 of the GDPR - "this provision indicates technical and organizational measures to adjust the level of security to the existing risk, for example by using pseudonymization or encryption of personal data ");

  4. complies with the terms of use of the services of another processor, in accordance with the provisions on the processor;

  5. taking into account the nature of the processing, as far as possible, it helps the controller, through appropriate technical and organizational measures, to fulfill the obligation to respond to the requests of the data subject in the scope of exercising his rights set out in Chapter III of the GDPR (Chapter III of the Regulation defines the rights of natural persons whose data relate);

  6. taking into account the nature of processing and the information available to him, helps the administrator to fulfill the obligations set out in art. 32-36 of GDPR (ie provisions imposing an obligation on the controller to ensure the security of personal data through the use of appropriate technical and organizational measures, the obligation to report data breaches to the supervisory authority and the obligation to conduct a protection impact assessment);

  7. upon termination of the provision of processing services, depending on the controller's decision, deletes or returns to him all personal data and deletes any existing copies thereof, unless Union law or the law of a Member State requires the storage of personal data;

  8. provides the administrator with all information necessary to demonstrate compliance with the obligations set out in this Article, and enables and contributes to the performance of, and contributes to, audits, including inspections, by the administrator or an auditor authorized by the administrator;

  9. shall immediately inform the controller if, in his opinion, the order given to him constitutes a breach of this Regulation or other Union or Member State law on data protection.

If the processor wants to use the services of a subcontractor in the performance of its activities (so-called another processor), it must obtain the consent of the data controller. It can be specific (for a specific subcontractor) or general. The subcontractors have the same data protection obligations as those indicated in the contract concluded between the data controller and the original processor. Only the original processor is liable to the controller, even if the subcontractor fails to fulfill its obligations. It is worth remembering that the above-mentioned list is not a closed catalog. Depending on the needs, the parties to the contract may supplement its content with additional provisions, for example regarding the rules of liability for deficiencies related to the processing of entrusted data, audits of the data processing carried out by the data controller against the processing entity or regulations on contractual penalties.

Start a free 30-day trial period with no strings attached!

Failure to contract is the basis for imposing a penalty

Although the rules of liability between the data controller and the processor, the parties may, in principle, be freely regulated in the processing entrustment agreement, the final responsibility for irregularities related to entrusting processing will be borne by the data controller. The lack of a processing entrustment agreement - in a situation where the actual entrustment takes place and a third party processes personal data provided by the data administrator - will also have consequences. Irregularities related to entrusting the processing of personal data may result in both the imposition of administrative penalties by the President of the Office for Personal Data Protection, and civil liability towards the person whose data has been improperly processed by the processor.

Due to the above, in order to minimize its liability, the data controller should ensure a real possibility of controlling the processing of the entrusted data by the processor.