#RGPD: Syntec Numérique alerts IT service providers to possible transfers of obligations
Qualifying players: an essential step in determining obligations
Before determining the statements that must appear in the contract in accordance with the requirements set out in Article 28 of the RGPD, an essential step is for the parties to the contract to qualify their relationship: is the customer responsible for processing or jointly responsible for processing? is the IT service provider a processor or jointly responsible for processing?
Syntec Numérique points out that in the majority of contracts for IT services (maintenance, hosting, facilities management, etc.), the customer is the data controller: it determines the purposes and means of the processing. The IT service provider, on the other hand, acts as a subcontractor, acting on behalf of, on the instructions of and under the authority of the customer.
In addition to these reminders, it is important to point out that certain provisions of the RGPD remain to be clarified, and in particular the notion of subcontractor assistance to the customer, etc. In this respect, Syntec Numérique is taking part in the ongoing reflections being conducted by the relevant stakeholders (CNIL, G29, etc.) and has in particular contributed by making comments on the CNIL’s subcontractor’s guide, used by many companies, so that an enriched version can be made available shortly.
” If the reform is to be a success, all players must be made accountable for their actions, without being undermined by contractual negotiations or situations of economic dependence. Data controllers (principals) could seek to transfer all their risks to their suppliers (service providers), thereby relieving themselves of their obligations. This practice, which is already taking place, not only contradicts the objective of the regulation, but also borders on fair business ethics. “explains Jérôme Siméon, Chairman of Syntec Numérique’s Legal Committee.
rn
“This qualification is extremely important as it will determine the respective obligations of the customer and the IT service provider in accordance with what is provided for by the RGPD. An error of assessment on the quality of the parties could have serious consequences in terms of the liability of the parties (failure to meet obligations). We therefore strongly recommend devoting particular attention to this crucial stage”, comments Jérôme Siméon.
rn