Most large enterprises make use of outsourcing in their daily business. This constitutes a profitable solution, notably in relation to accounting, HR, health and safety or IT services. On the other hand, it implies the necessity to entrust the processing of personal data, including employee data, to third parties, which is possible only under an agreement on processing (the “Agreement”).
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”) which enters into force from 25 May 2018, governs the matter of the Agreement in a much more rigorous manner, i.e. by significant specification of the elements of the Agreement. Employers must be prepared for this change and duly adjust any Agreements which are already concluded, e.g. by amending the existing ones or by concluding new ones.
Verification of the Processor
When the employer makes use of outsourcing he still remains the controller of the personal data. He only entrusts its processing to the other entity under the Agreement. The GDPR imposes a new, duty on the controller, namely the duty to verify the processor.
The controller should only make use of processors who provide sufficient guarantees to implement technical and organisational measures which will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. This includes the duty to verify the prospective processor, in particular in regard to its expert knowledge, reliability and resources.
More mandatory provisions
The GDPR establishes the obligation, not only the right as it was before, to conclude the Agreement in written form (electronic form included). In this regard it should be noted that the GDPR – in comparison to hitherto binding regulations – significantly extends the catalogue of the Agreement’s mandatory provisions.
The Agreement must regulate the following matters concerning processing:
- the nature and purpose;
- the type of personal data;
- categories of data subjects;
- obligations and rights of the controller; and
- obligations and rights of the processor.
Furthermore, the Agreement should include a number of other provisions regarding the obligations of the processor. It should ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Additionally, the processor should assist the controller by providing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligations, e.g. the controller’s obligation to respond to requests relevant to the data subject’s rights.
It should be determined how the processor shall delete or return all the personal data to the controller after the end of the provision of services relating to processing, and whether he shall delete existing copies.
On the one hand, the Agreement should be drawn up to secure the controller’s rights. On the other, particular elements of the Agreement should meet the requirements of the GDPR, which are much more complex than the earlier regulations. Appropriate balancing of these interests may happen to be problematic.
Processing of the personal data only based on documented instructions from the controller
The circumstance that the processor may process personal data only based on documented instructions from the controller is crucial.
Employers who make use of outsourcing should decide, if they are willing to include such instructions in the Agreement or separate them from it into a distinct document.
Maladjustment of the Agreements is severely punishable
Employers may encounter the activity of concluding new Agreements or amending the existing ones, based on the latest regulations to be laborious. Employers entrusting the processing to the other entities, should take into account the current obligation to verify processors and the extended – in comparison to hitherto binding regulations – catalogue of mandatory provisions of the Agreement.
Possible infringements may result in numerous negative consequences, including severe financial penalties.