For a responsible implementation of RGPD contractual obligations

If the reform is to be a success, all the players involved must be made accountable, without being undermined by contractual negotiations or situations of economic dependence. Data controllers could, in fact, seek to transfer all their risks to their suppliers, thereby relieving themselves of their obligations.

This practice, which is already taking place, not only contradicts the objective of the regulation, but also borders on fair business ethics.

The importance of player qualifications in determining individual obligations

Before determining the statements that must appear in the contract in accordance with Article 28 of the RGPD, an essential step is for the parties to qualify their relationship: is the customer responsible for processing or jointly responsible for processing? is the IT service provider a processor or jointly responsible for processing?

In the majority of contracts for IT services (maintenance, hosting, etc.), the customer is the data controller, in that it determines the purposes and means of the processing, and the IT service provider is the data processor, in that it processes personal data on behalf of the customer. In more exceptional situations, a customer and an IT service provider may be qualified as joint data controllers (each having the status of data controller) in the sense that they jointly determine the purposes and means of the processing and will thus have to share the obligations placed on the data controller by the RGPD.

This qualification is extremely important, as it will determine the respective obligations of the customer and the IT service provider in accordance with the provisions of the RGPD. A misjudgment as to the quality of the parties could have serious consequences in terms of the liability of the parties (failure to meet obligations). It is therefore advisable to devote particular attention to this crucial stage.

Let’s draw two crucial lessons from this:

• It is not possible to determine the status of the parties solely on a contractual basis: an in concreto analysis must be carried out on the basis of a set of indicators. In the event of mischaracterization by the parties, a judge or supervisory authority may decide to recharacterize the relationship between the parties.
• It is not possible to transfer some of the obligations of the customer, data controller, onto the IT service provider, processor (the obligations of the parties according to their quality are imposed by the RGPD): of the quality derive obligations and associated responsibilities.

Confusions that risk undermining data protection rules

Confusion as to the status of the parties to the contract, and consequently the nature of their respective obligations, is often linked to the use of the term “co-responsible”, sometimes used to designate the status of joint controller (in very specific cases), or the joint and several liability of the processor and controller vis-à-vis the data subject.

Remember that:

• In most cases, the customer is the data controller and the IT service provider is the subcontractor.
• The processor may be subject to certain new obligations: keeping a register, appointing a personal data protection officer, etc., but the customer remains bound by its own obligations. There are therefore obligations common to both processor and customer. The processor is liable for any breaches of its obligations, but not for any breaches of the customer’s obligations.
• The processor may be held liable for damage caused by processing if it has acted outside or contrary to the customer’s instructions (e.g. purpose, retention period, etc.).
• Data subjects may obtain compensation for the damage suffered from the processor or data controller, and each of the data controllers or processors involved in the same processing operation may be held liable for the damage in its entirety, in order to guarantee the data subject effective compensation. In this case, however, the processor may claim from the customer or any other subcontractors involved in the same processing operation the portion of the compensation corresponding to their share of responsibility for the damage.

In addition, it should be emphasized that certain provisions of the RGPD remain to be clarified, for example, the notion of subcontractor assistance to the customer. In this regard, Syntec Numérique has made comments on the CNIL’s subcontractor’s guide, used by many companies, so that an enriched version may be available soon.

A necessary dialogue between customers and IT service providers

To facilitate relations between customers and IT service providers, Syntec Numérique calls on principals to raise awareness internally among the departments concerned (legal, purchasing, IT department, etc.). Regular dialogue between customers and IT service providers, involving where necessary the CNIL and the Médiateur des Entreprises, is necessary to achieve consistent application of the RGPD and a contractual balance between the parties.