Brief n°1 – CNIL investigations in 2019 : the sharing of responsibilities between controller and processor
The French supervisory authority, the CNIL, recently presented its “2018 Activity Report”, in which it outlines a “GDPR effect” illustrated in particular by the unprecedented increase in the number of complaints lodged with it since the entry into force of the regulation, and unveiled its strategy for 2019. More specifically, the CNIL will focus its investigations on three major themes, one of which is likely to be the cause of numerous breaches of the regulation: “the sharing of responsibilities between controllers and processors”, especially through the control of the existence and concrete implementation of the contract between them.
Article 28 of the GDPR provides a framework for the processing conducted on behalf of a controller by another entity. In practice, the controller provides the processor with detailed and documented instructions to carry out the processing on its behalf.
- The issue of the qualification of the parties
A first issue arises immediately from the need, in the context of a contractual relationship involving the transmission of data, to determine with relevance the role of each contracting party and to identify, if necessary, a processor. A complex contractual scheme may indeed prove difficult to qualify, especially if it operates in a particular sector such as the insurance sector.
A quick reading of the provisions of the regulation could lead some to regard any third party to whom personal data are communicated as a processor. However, such a mistake of qualification would have significant impacts on the contractual relationship between the parties, and notably its economic balance; hence the need for a thorough analysis of the contextual elements to determine precisely the role of each party and, where applicable, their obligations under Article 28 of the GDPR.
- The organisation of the contractual relationship
Once the parties have been properly qualified, their contractual relationship must be organised in accordance with the provisions of the GDPR, given that the processor “processes the personal data only on documented instructions from the controller” (Article 28.3.(a)). The existence of a legal instrument (contract or other legal act under Union or Member State law) securing the relationship and its correct implementation will be one of the aspects checked by the CNIL in 2019.
On certain matters, some clarification is required. For instance, with regard to the exercise of the data subjects’ rights, the notification of a security breach to the competent supervisory authority or the deletion of data at the end of the storage period, the controller and the processor shall determine their concrete role in this matter, as the burden of these obligations may fall on either party.
The GDPR also requires the processor to take all measures required to guarantee the security of the data (Article 28.3(c)) and to contribute to the controller’s compliance with its obligations in this respect (Article 28.3(f)). Although it seems to be only an obligation of means (“obligation de moyen”), non-compliance is nevertheless sanctioned severely by the CNIL. The authority will undoubtedly pay particular attention to the implementation of adequate security measures in the course of its investigations.
A proper distribution of obligations and effective cooperation between the controller and the processor can allow, in the event of a personal data breach, its quick resolution and a limitation of the negative consequences on the rights and freedoms of data subjects (and possibly a reduction of the administrative fine; the amount of the fine imposed on Optical Center was reduced by €50,000 by the Conseil d’Etat on 17 April 2019, due to the speed with which the company and its processor implemented the appropriate corrective measures following the identification of online security breaches).
In 2014, Orange was sanctioned for not preserving the security and confidentiality of its users’ data, in particular by failing to monitor the due diligence undertaken by one of its processors to ensure adequate levels of security.
- Sharing administrative and civil responsibilities
In the event of an investigation by the CNIL and a finding of a breach of the provisions of Article 28 of the GDPR in particular, an administrative fine (the maximum amount of which has been considerably increased) may be imposed. Some doubt remains as to who, in the event of a shared responsibility, will have to bear the cost of the sanction and how this sum will be distributed among the various parties involved in the processing operations. The intensification of controls on this matter and a thorough analysis of the decisions rendered on this basis will undoubtedly make for some clarification and secure future contractual relationships between controllers and processors.
On the civil level, any person may, on the basis of Article 82.1 of the GDPR, receive compensation for the damage suffered, from either the controller or the processor, with the possibility of a subsequent recourse action against the party who contributed to the damage.
Nevertheless, a “processor shall be liable for damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller” (Article 82.2). A strict framework for the contractual relationship, including detailed instructions from the controller, will simplify the sharing of responsibilities between the parties in the event of litigation.
We can help companies in the qualification of their contractual relationships and, when necessary, the drafting of contracts.
Isabelle GAVANON and Valentin LE MAREC