July 24, 2024
The EU-US Data Privacy Framework: What You Need to Know
With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
GDPR regulates the processing of personal data by imposing obligations on two types of organizations — data controllers and data processors. Data controllers set the agenda for processing, while data processors act on the instructions of data controllers.
As well as regulating the activities of each of them (as detailed throughout this series), the Regulation also sets requirements for the relationship between them (in Article 28), including what the processing contract must contain. This article will look at these requirements in detail.
Data controllers must only use data processors who can give “sufficient guarantees” that they can and will comply with the requirements of the Regulation and protect the rights of data subjects.
This means being able to show that they have the knowledge, resources and reliability to do so (rather than just being about contractual guarantees). If and when appropriate certification schemes are created, relying on these is likely to be justified.
Data processors must only ever process data under the data controller’s documented instructions, unless required to do otherwise by EU or national law (Article 29). As well as being a violation in itself, straying outside of these instructions may cause them to be redefined as data controllers and therefore subject to additional rules.
All processing must be under a contract between controller and processor (or some “other legal act” recognized by EU or national law which binds the processor to the controller’s will). There are a number of things which must be contained in this contract:
A data processor must not pass the work on to another data processor without either (i) getting specific authority from the data controller or (ii) getting general authority from the data controller, informing them of the proposed change and giving them a chance to object. This must be spelled out in their contract with the controller.
Wherever another data processor is engaged in this way, the contract (or other legal act) must impose the same data protection obligations as the first processor’s obligations under its contract with the controller. Again, this must also be required by the original processing agreement.
The original processor must remain liable to the data controller for the performance of the obligations passed on to the new processor. This will be an extra incentive for them to check the fitness of any such new processor.
A major purpose of all of these rules is to prevent data controllers and processors from attempting to avoid responsibility by passing it on to each other. They clearly set out that data processors must work strictly within their instructions and remain liable even if they lawfully pass the work on to another organization. Meanwhile, data controllers must make sure that they only use fit and proper organizations as data processors and use their contracts to bind the processors contractually (as well as under the Regulation itself).
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
