The General Data Protection Regulation (GDPR) will inevitably impact a lot more companies than before. The GDPR will indeed apply to any business that acts as data controller or data processor and that offers goods or services to individuals in the EU, regardless of whether it is physically located in the EU (see I).
Moreover, the GDPR imposes many new obligations on both data controllers and data processors, triggering a real shift in their respective responsibilities. This will entail major consequences for a large number of European as well as non-European companies (see II) and create new challenges that many businesses will need to address in the near future (see III).
(I) Businesses without establishment in the EU may fall under the scope of the GDPR
The GDPR will apply to EU and non-EU companies that (i) process personal data in relation to the offering of goods or services to EU data subjects or (ii) monitor individuals’ behaviours that are conducted within the EU. The concepts of personal data and processing remain very broad. Personal data include any kind of information (i.e., location data, online identifier …) that allows a person to be identified—even indirectly. In addition, the mere hosting, storage, or even the erasure ordestruction of data amount to processing of such data.
Companies are considered to be targeting EU citizens if one or more of these elements are present: the use of a language or a currency generally used in one or more Member States in conjunction with the offering of goods and services, and/or the mentioning of customers or users who are based in the EU. On the contrary, the mere fact that a website of a non-EU-based business is accessible from the EU is not a determining factor.
This approach will significantly broaden the scope of application of the GDPR as it will now clearly encompass all websites and apps that track EU citizens’ online behavior/digital activities, i.e., by making use of tracking cookies.
(II) New, heavier obligations imposed on both data controllers and data processors
The GDPR did not change the definitions of the terms “data controller” and “data processor”. The former remains defined as the entity “which, alone or jointly with others, determines the purposes and means of the processing of personal data”, while the latter is the entity that processes personal data on behalf of the controller, and this definition covers, for instance, a cloud-computing service provider.
A significant development is that the GDPR explicitly addresses the processing of personal data by both data controllers and data processors (under the conditions described above in these terms’ definitions).
In addition, the data processor that would have determined by itself the purposes and means of the data processing should be considered to be a controller with regard to that specific processing. Besides the fact that this blurs the boundaries between data controller and processor, it also lowers the threshold for triggering the application of the provision on “joint-controllership”, thereby subjecting the processor-turned-controller to heavier responsibilities.
Furthermore, the GDPR imposes more stringent obligations on data controllers. As a matter of principle, data controllers are responsible for ensuring that the data processing complies with the key principles of the GDPR. In this respect, data controllers will have to keep records of all processing activities carried out under their responsibility, including all information that can demonstrate their data processing compliance with the GDPR.
With regard to data processors, there will be a greater shift in liabilities. Indeed, for the first time data processors will have direct obligations towards the data subjects, whereas before they were merely responsible towards the data controller. Like the data controller, the data processor can also be sanctioned by fines if it fails to fulfill those obligations.
For instance, data processors (again, just like data controllers) must implement technical and organizational measures to ensure that their processing is secure. In addition, they must immediately inform the data controller about any security breach that would have occurred in relation to the processing.
By the same token, the data processors must keep records of all data processing activities that it carried out on behalf of the data controller.
Finally, the data controller and the data processor must cooperate with the supervisory authority throughout their performance of data processing tasks. Hence, the data processor might also be required by the supervisory authority to meet the data subjects’ requests whenever the latter exercise their rights.
Lastly, the GDPR sets forth more extensive requirements that must be reflected in a contract between the data controller and the data processor. While there is already an obligation under the Data Protection Directive to have a written agreement between the data controller and data processor, the requirements for this agreement under the GDPR are more significant, i.e., the data processor must satisfy its regulatory obligations as regards confidentiality, security, and sub-processing; the data processor must, to the data controller’s choosing, delete or return all the personal data; it must assist the data controller in (i) ensuring fulfilment of the controller’s obligations on security and prior notification and (ii) taking technical and organizational measures to fulfil the controller’s obligation to respond to data subjects’ requests. However, no transitional provision has been adopted in this respect, so all the existing data processing agreements between these parties are at risk and the parties are therefore compelled to renegotiate their contracts.
(III) Coming challenges
The practical implementation of all those new legal requirements appears to be challenging. For example, the new processor-controller joint-responsibility for security breaches will imply that data processors should conduct risk assessments for each intended data processing.
Moreover, data processors will have the relative comfort of limiting their liability towards data controllers under the GDPR because the supervisory authority can now fine data controllers directly.
Furthermore, data processors acting on behalf of several data controllers, for instance, when offering outsourcing services to several companies, will have to manage very carefully the fulfillment of their numerous contractual obligations under those distinct data processing agreements. Finally, data controllers will need to select their suppliers more carefully to ensure that the latter process personal data cautiously and diligently. A data controller will also eventually need to perform audits to ensure that the data processing complies with the principles of the GDPR. The data controller must indeed be able to demonstrate that it has chosen a data processor that provides “sufficient guarantees to implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of the GDPR”.