Processor due diligence
Home » Geolocation » Provide accountability » Processor due diligence

The accountability principle (see accountability principle in the principles part of these Guidelines) is also present when a controller chooses to require the services of a processor. In this regard, Article 28(1) of the GDPR[1] requires controllers to perform certain due diligence actions, prior to providing processors with access to personal data for the performance of data-processing activities. As with other provisions of the GPDR, it is not stated which specific actions a controller should carry out when evaluating processors. The only criteria provided by the GDPR is that controllers should judge processors on the basis of their ability to demonstrate that they can carry out processing activities in compliance with the GDPR.

Controllers should always keep in mind that the development of localization tools often involves the use of different data sets. Registries should ensure traceability of processing, information on possible reuse of data and the use of data belonging to different datasets in the same, or different, lifecycle stages.

If the controllers are conducting a development that needs to count on a third party for certain processing activities, they need to ask two questions: (1) what type of conduct is expected to demonstrate compliance with this obligation; and (2), if some form of positive action is expected, how should controllers proceed to carry out such due diligence?

For the first question, the GPDR indicates that if controllers intend to remain compliant with the GDPR, they can only retain a processor that is able to demonstrate its compliance with the GDPR. Therefore, controllers need to request information to assess this. In other words, the GDPR expects controllers to actively ask their potential processor about this; it is not sufficient to rely on a representations and warranties clause in the data-processing agreement (see the ‘Integrity and confidentiality’ section in the ‘Principles’ chapter). As a way to ensure this, controllers may send questionnaires to all processors or require processors to prove that they have passed an external auditing process. In addition to this, controllers may add an auditing contractual clause by which the controller itself can carry out on an audit on a processor in case further evidence is needed.

As for how controllers should carry out this due diligence, again the GDPR does not provide concrete issues to analyze. Nevertheless, certain national supervisory authorities have proposed topics to consider, such as whether the processor follows industry standards, to request the provision of both legal and technical information about how the processor processes personal data, if they adhere to a code of conduct, or if they have gone through a certification scheme.[2]

Besides these general considerations, and depending on how the processing requested by this third party integrates within the framework of the developed tool, further questions should be asked. In this regard, any question that the controllers would ask themselves when developing the tool should be asked of the processor. We defer to the issues posed in the Checklist included in the box below for further guidance.

 

Checklist: Processor due diligence

 If there is processing involving international transfer of data, the controllers acquired information regarding where the data-processing activities will take place, and (1) carried out the case law review suggested in the point below; and (2) assessed if the jurisdictions, in the case of non-EU countries, are considered adequate by the EU Commission.

 The controllers reviewed case law from the national supervisory authorities where the processor operates to check for potential sanctions.

 The controllers required proof of adherence to a code of conduct or certification (this is not strictly necessary but may be considered as good practice).

 The controllers required proof of relevant ISO certification (this is not strictly necessary but may be considered as good practice).

 If there is a processor involved, controllers required a copy of records of processing activities.

 The controllers enquired about the development process of the tool, in particular which kind of data were used for training the tool and the data that it needs to operate and deliver a useful result.

 

 

References

1‘Article 28 Processor 1. “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

2ICO (no date) Guide to the General Data Protection Regulation (GDPR), What responsibilities and liabilities do controllers have when using a processor? Information Commissioner’s Office, Wilmslow. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/responsibilities-and-liabilities-for-controllers-using-a-processor/ (accessed 20 May 2020).

 

Skip to content