Gdpr Sub-processors

[Julian Gladyshev]

Thenew sub-processor page is great, I like the improvements done over time. If running HubSpot in EU data center there are still some features that can't be offered with EU (or GDPR compliant) sub-processors. Wouldn't it be great if these could be turned off in the HubSpot portal? Or that you can clearly see which sub-processors you use.

The same goes for support from HubSpot (HubSpot Affiliate Sub-Processors). There is already a good feature to prevent access, but it would be even better if you could choose support only from EU countries.

Processors have less autonomy and independence over the data they process, but they do have several direct legal obligations under the UK GDPR and are subject to regulation by supervisory authorities. If you are a processor, you have the following obligations.

An individual can also bring a claim directly against you in court. You can be held liable under Article 82 to pay compensation for any damage caused by processing (including non-material damage such as distress). You will only be liable for the damage if:

If you are required to pay compensation but are not wholly responsible for the damage, you may be able to claim back from the controller, the share of the compensation for which they were liable. Both parties should seek professional legal advice on this.

If you have general authorisation, you must inform the controller if you wish to make any changes to the list of possible sub-processors or criteria for choosing a sub-processor, and give the controller a chance to object.

If you have written authorisation, you may appoint the sub-processor but must put in place a contract with the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those in the contract between you and the controller.

Under the GDPR, the concept of a "processor" has not changed. Any entity that was a processor under the Directive likely continues to be a processor under the GDPR. However, whereas the Directive generally only imposed direct compliance obligations on controllers, the GDPR imposes direct compliance obligations on both controllers and processors, and both controllers and processors will face direct enforcement and serious penalties if they do not comply with the new EU data protection law.

The direct legal obligations imposed on processors under the GDPR are of obvious importance to organisations that act as processors. However, they are also important to organisations that act as controllers, and engage processors to process personal data on their behalf.

Under the GDPR, processors (e.g., many outsourced service providers) are likely to face significantly higher costs as a direct result of the increased compliance obligations, and those costs are likely to be passed on to customers. Furthermore, the negotiation of processing agreements is likely to become more complex, as processors become more careful about the terms of the agreement and the scope of the controller's instructions.

Organisations that act as processors, or act as controllers that engage processors, should carefully review the requirements associated with appointing processors. In particular, they should review their existing data processing agreements and consider whether any amendments are required. Any new data processing agreements should be drafted in accordance with the requirements of the GDPR.

Organisations that act as controllers commonly appoint service providers to process personal data on their behalf. EU data protection law permits this practice, but imposes certain requirements on organisations that wish to do so.

A controller that wished to appoint a processor was only permitted to engage processors that guaranteed compliance with national data protection laws based on the Directive. The controller was only permitted to engage the processor under a binding written agreement, which states that the processor:

A controller that wishes to appoint a processor must only use processors that guarantee compliance with the GDPR. The controller must appoint the processor in the form of a binding written agreement, which states that the processor must:

The GDPR imposes significant new requirements that must be included in all data processing agreements. As the GDPR does not contain transitional arrangements addressing this issue, pre-existing agreements are affected as well and may need to be renegotiated. It is likely that processors located outside the EEA will resist the imposition of these new obligations, potentially making it harder for organisations acting as controllers to lawfully appoint their desired processors, and resulting in more complex negotiations of outsourcing agreements.

EU data protection law applies across all sectors to all organisations that are subject to the law. Whereas the Directive generally only imposes direct legal compliance obligations on controllers, the GDPR imposes direct legal compliance obligations on processors as well.

Each Member State was required to implement national data protection laws imposing direct legal compliance obligations on controllers that fell within the scope of the Directive (as implemented in the national law of the relevant Member State).

The GDPR applies to the processing of personal data by a controller or a processor that falls within the scope of the GDPR (regardless of whether the relevant processing takes place in the EU or not).

The Directive only imposed direct compliance obligations on controllers (with processors generally only having contractual obligations, not direct legal compliance obligations). The GDPR, however, imposes legal compliance obligations directly on controllers and processors.

The defining feature of a processor is that a processor acts in accordance with the controller's instructions. However, a processor might face conflicting requirements between the controller's instructions and applicable law, which leads to obvious difficulties.

In the event that a processor believes that the controller's instructions conflict with the requirements of the GDPR or other EU or Member State laws, the processor must immediately inform the controller.

The GDPR provides a sensible solution, requiring the processor to inform the controller that it cannot comply with the controller's instructions where those instructions conflict with applicable (EU) law. It is then for the controller to issue revised instructions that are consistent with applicable law.

The GDPR provides no clear guidance on what should happen if the controller's instructions place the processor in breach of the national laws of a jurisdiction outside the EU. Presumably, this will be an issue for negotiation between the parties.

Sub-processors were only permitted to process personal data in accordance with the instructions of the controller or the requirements of applicable law. However, the Directive did not provide clear rules for the appointment of sub-processors.

The processor must not appoint a sub-processor without the prior written consent of the controller. Where the controller agrees to the appointment of sub-processors, those sub-processors must be appointed on the same terms as are set out in the contract between the controller and the processor, and in any case in accordance with Art.28(1)-(2) (see above).

Although the Directive did not directly address this issue, DPAs generally interpreted the Directive as requiring sub-processors to be appointed on the same terms that apply to the processor, and subject to the controller's approval. Consequently, the new language in the GDPR is unlikely to make very much practical difference.

The processor must ensure that any personal data that it processes are kept confidential. The contract between the controller and the processor must require the processor to ensure that all persons authorised to process the personal data are under an appropriate obligation of confidentiality.

Art.29 of the GDPR follows the provisions of Art.16 of the Directive. Despite the new requirements regarding contractual protections, there is little practical change for either controllers or processors in this context.

Where a processor, in breach of the GDPR, determines the purposes and means of any processing activity (i.e., if the processor makes its own decisions, rather than following the controller's instructions), that processor is treated as a controller in respect of that processing activity.

Organisations acting as processors should be extremely cautious of this provision. In essence, any time that such an organisation processes personal data for its own purposes, rather than the purposes of the controller, that organisation becomes a controller, and is subject to the full compliance obligations of a controller in relation to that processing.

In order to ensure compliance, EU data protection law requires processors to ensure that they keep records of their data processing activities, and that the information in those records is provided to (or is available on request by) DPAs.

The Directive did not specifically require processors to maintain records of any kind. In almost all Member States (other than the Republic of Ireland) there was no obligation on processors to register with the DPA.

Organisations acting as processors (or their representatives) are subject to this new obligation of maintaining records of processing activities in order to provide, upon request, the recorded information to the DPA. This is likely to require significant investment by processors in record-keeping functions.

The Directive did not require processors to cooperate with DPAs. Instead, the national laws of Member States required controllers to cooperate with DPAs, and the Directive required processors to act on the instructions of those controllers (see above).

3a8082e126