MyFondia VirtualLawyer
September 21, 2018

Remarks from Fondia Privacy Team: Imbalance in agreements between processor and a sub-processor

The EU General Data Protection Regulation (679/2016) (later GDPR) became applicable in May 2018. During spring, our team was very busy drawing up documents after documents. The documents were based on GDPR and WP29 guidelines and naturally old practices were applied.

The EU General Data Protection Regulation (679/2016) (later GDPR) became applicable in May 2018. During spring, our team was very busy drawing up documents after documents. The documents were based on GDPR and WP29 guidelines and naturally old practices were applied. Since there are no new practices based on GDPR yet, both our own and the documents drawn up by others are constantly being reviewed. We have regular meetings as a part of our teamwork where we discuss issues that raise interest or are open to interpretations. The primary stress in our last meeting was on the data processing agreements. I have been thinking about the concatenation of agreements and the situation of when a processor transfers data outside the EEA to a subcontractor. In many agreements the Commission’s so called model contract clauses have been applied to these kinds of transfers. So far, however, there are no terms, that are suitable for the transfer agreements between a processor and a sub-processor.

For this reason, the controller either signs or authorizes the processor to sign an agreement with the sub-processor. An interesting chainis created, when the processor is responsible for all the actions of the sub-processor, but the controller is also in a direct contractual relation to the sub-processor in question. An especially interesting pattern forms for example from the duty to notifythe other party of the agreement. In the processing agreement the processor agrees to notify the controller of the requests of data subjects or data breaches and in the sub-processing agreements the processor often obligates their sub-processor to notify these to themselves. However, when using model contract clauses, the sub-processor needs to directly notify the controller.

When the sub-processor neglects the duty to notify, both the processor and the sub processor is reliable of the neglect to the controller. How should this and other obligations be acknowledged when drawing up processing agreements? Can it be stated in the main processing agreement that even though model contract clauses refers to the controller, it shall mean the processor regarding certain terms or does this dilute the whole model contract which should not be modified? It would be desirable that the Commission soon accepts the model contract clauses regarding the transfers between a processor and a sub-processor. In the meantime, it is good to pay closer attention to how the model contract clauses should be taken as a part of the agreements. There will be more remarks after our next meeting.