The Data Processor of Personal Data (RTD): who he is and what role he plays

Home PA Digital The Person in charge of the Processing of Personal Data (RTD): who he is and what role he plays What are the role and tasks of the Data Processor outlined by Regulation (EU) 2016/679, better known as GDPR? What are the responsibilities of this figure and what are the relations with the Data Controller? To contribute to the ongoing debate, a new document is drawn up by the Network of DPOS of Independent Administrative Authorities 12 July 2022

Patrizia Cardillo Expert in Personal Data Protection, Coordinator of the DPO Network of Independent Authorities

The Network of Data Protection Officers of the Independent Administrative Authorities (hereinafter: Network)[1] after the publication, in April last year, of the Document on the role and tasks of the Data Protection Officer (hereinafter: DPO, here a focus on this figure and the full Document), has now focused its attention on the figure of the Data Processor (hereinafter: "RTD" or manager), on the role and tasks as outlined by EU Regulation 2016/679 (hereinafter: "RGDP" or Regulation), on the responsibilities and above all on the centrality of its relations with the Data Controller (hereinafter: "owner") that reinforce the need to clarify above all the contents of those documents that must constitute evidence of relationships and procedures. The Document on the role and tasks of the Data Processor Also this second Document, elaborated by the Network after months of reflections and insights always with the aim of working together, defining common standards, developing formats, procedures and best practices to contribute to the compliance with the GDPR of its organizations, wants to both provide a contribution to the ongoing debate on the various topics covered but above all to open up more and more to the comparison inside and outside the public administration, in the conviction that we are facing a figure who places everyone in front of the same challenges. Obviously, everyone will be able, in his autonomy and taking into account the nature, scope, context and purposes of the processing, as well as the risks with different probabilities and severity for the rights and freedoms of natural persons, to grasp the most appropriate hypotheses and tools (procedure / internal regulation, practice, etc.) to define governance and rules that must preside over the different organizations. The full text of the Document is available. Below are outlined, for each chapter, the traits of greatest interest. RTD: definitions and responsibilities (Chapter I) The Regulation defines the RTD as the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller[2]. A legal entity external to the organization of the owner, which must necessarily present guarantees such as to ensure that it is always able to operate in full compliance with the provisions on the subject and, above all, must possess the ability to implement appropriate technical and organizational measures to guarantee the protection of the rights of the subjects concerned to the treatment. The relationship between the two top figures in the processing of personal data, the methods of identification, construction, management, conclusion of their relationships and, last but not least, their respective responsibilities are at the center of the debate among professionals and are the subject of reflections still in progress. Surely the Guidelines no. 7/2020 of 7 July 2021 on the concepts of owner and manager adopted by the European Data Protection Board (hereinafter "Guidelines 7/2020") must be a point of reference for any comparison, where they underline how, for a correct setting of the relationship between the two subjects, it is first necessary to ensure: • the prior verification of the need to resort to an external subject, as explicitly provided for in paragraph 1 of art. 28 of the GDPR: "if a processing is to be carried out on behalf of...."; • that, where necessary, the choice falls only on subjects who present sufficient guarantees to implement adequate technical and organizational measures so that the processing meets the requirements of the Regulation and guarantees the protection of the rights of the interested party; • the conclusion between the two subjects of a contract or other legal act valid on the basis of Union or Member State law (hereinafter: "Act"), which binds the manager to the owner and which regulates the matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, mutual obligations and the rights of data subjects, instructions and technical and organisational measures; this Act must contain all the elements suitable to circumscribe the object of the activity entrusted to the manager and to provide the RTD with all the instructions necessary for the correct processing of personal data. In particular, the supplier's compliance obligation, relevant above all for the PA due to the procedures to be followed in the selection process, is placed in the phase prior to the stipulation of the Act governing the relations between owner and manager: the owner must provide for the presence of adequate technical-organizational measures, among the technical requirements made known and evaluated for the purpose of awarding the service or supply (which refers to the processing of data personal data relating to natural persons) and, after the signing of the Act, must constantly monitor the permanence of the requirements as a specific condition for the correct management of the relationship. The European institutions responsible for the sector have, on several occasions, made it clear that public administrations should set an example in protecting the fundamental rights and freedoms of individuals: 'Public administrations are called be in the frontline'[3]. Among other things, the investigation coordinated by the EDPB and launched by 22 national supervisory authorities is moving in this direction. Finally, it should be noted that, in the event that the data is processed by a person other than the data controller, it is absolutely necessary that the contents of the relationship be regulated, in writing, by "a contract" or by "another legal act under Union or Member State law", having binding force between the parties. The formal act of conferring the assignment must give an account of all those profiles strictly indicated in art. 28 GDPR and places to guarantee the suitability of the person in charge of carrying out the tasks entrusted. If it fails to regulate one of these profiles, the Act cannot be qualified as valid pursuant to art. 28 GDPR: it follows that, if stipulated in the absence of such elements, a violation of the rule is determined [4]. For example, a non-transparent and generic definition of the relationship between the owner and the manager may lead to an insufficient or incorrect identification of the same legal basis of the processing carried out[5] and give rise to the initiation of a sanctioning procedure by the Guarantor for the protection of personal data (below: "Guarantor")[6] [7]. Emphasis should be placed on the fact that, in determining the content of the Act, it is not sufficient simply to reproduce Community legislation. It is necessary to update the document: refer to the context of the organization, the actual situation in terms of data processed, the type of interested parties and the characteristics of the specific processing that the owner entrusts to the manager: the mandatory contents pursuant to art. 28 GDPR must be declined in the specific case. The requirements must be maintained over time and ensured with periodic verification activities. The consequences that the termination of the relationship (at the natural expiry or in case of early withdrawal) will have on the personal data entrusted to the RTD must also be regulated in advance: symptom and measure of the degree of accountability of the holder. Particular attention must be paid to cases of designation of sub-processors and in the presence of joint ownership in the processing it is necessary to accurately define relationships and responsibilities between the two or more subjects who participate jointly in determining the purposes and means of a personal data processing operation. The relationship between the joint controllers must also be based on an "internal agreement", to be made known to the interested parties in order to make everyone aware of their respective roles, competences and responsibilities so that they can effectively exercise their rights. The agreement, however, does not deprive the interested party of the right to exercise their rights towards each joint data controller. Each joint and severally liable for the full amount of the damage in order to guarantee the effective compensation of the interested party (cf. GDPR 82, par. 4) except then, precisely on the basis of the respective responsibilities defined in the agreement, to retaliate in turn against the other joint controllers. Owner and manager must define their organization, the levels of responsibilities, the procedures and methods through which the processing of personal data must be carried out and explain their respective obligations. The owner is always responsible for having to demonstrate, effectively, that he has put in place all the activities necessary to protect the trust granted by the interested party and even more so when he uses third parties for the related treatment, that is, when it is not he who directly processes the data that the interested party has entrusted to him but makes use of others, thus altering the original choice and the reasons behind the choice itself. The preparation of a defined check list[8] and its compilation already in the selection phase, can allow the owner to facilitate the identification of a subject that meets the characteristics dictated by the legislation and correctly start the construction of the relationship. On the basis of the general principle enshrined in the Regulation (see Article 82), in the event of a violation, the person in charge is jointly and severally liable with the owner for the damage caused to the interested party. On the contrary, the manager is directly liable for the damage caused by the processing in the event of incorrect fulfillment of the obligations provided for by the rules expressly against him[9] or if he has acted in a manner different from or contrary to the instructions of the owner. In essence, it can be said that if the manager violates the instructions of the owner, independently determining purposes and means, he goes, himself, to configure himself as a holder. A liability waiver can only be configured hypothetically if the owner, co-owner or manager proves that the harmful event is not attributable in any way to their conduct (see Art. 82 para. 3 GDPR). Selection of the contractor and contractual clauses (Chapter II) Attention to the methods (procedure and contents) of choice of the external supplier who processes the data on behalf of the owner assumes a decisive role to ensure compliance with the Regulation by the PA in its capacity as owner of a processing of personal data. The in-depth analysis was focused on the search for guarantees that, in compliance with the regulatory constraints of the PA, can find space in the procedures in force in order to ensure that the RTDs, awarded the service, in addition to being qualified for the type of supply or service requested, "present sufficient guarantees to implement adequate technical and organizational measures in such a way that the processing meets the requirements of this regulation and guarantees the protection of the rights of the interested party" (Art. 28, par. 1 GDPR). We are, today, faced with the need to explore a new field with the awareness that the guarantees and requirements required until now are no longer sufficient: it is necessary to raise the threshold of attention. A tool to support the choice must be identified in the Standard Contractual Clauses (hereinafter: SCC or even CCT) approved by the EU Commission with Implementing Decision (EU) 2021/915 of 4 June 2021, which identifies and describes in detail the standard contractual clauses that must govern the relations between owners and managers pursuant to Article 28, paragraph 7 of the GDPR and Article 29, par. 7 EU Regulation 2018/1725 (EUDPR) (hereinafter: "Decision 2021/915"). By that intervention, the Commission intended to regulate relations between Union institutions, bodies, offices or agencies, Directorates-General or organisational units which, in their capacity as controllers, in the context of operations related to the processing of personal data of natural persons, where they use a third party acting as data controller. The aim is to provide guidance and align with each other the data protection rules of the GDPR, applicable to the public and private sectors in the Member States, and of Regulation (EU) 2018/1725, applicable to the institutions, bodies, offices and agencies of the Union (hereinafter: EUDPR), to ensure a consistent approach to the protection of personal data throughout the Union and to allow the free movement of personal data within the European territory. The SCCs may be used, even partially in relation to concrete situations, to ensure compliance with the obligations referred to in paragraphs 3 and 4 of art. 28 of the Regulation. Decision 2021/915 contains ten clauses [10] (in addition to four annexes) that include all the obligations provided for in Article 28 GDPR and constitute a point of reference for the owner who must take them into account in the drafting of the contract that he is preparing to stipulate with the data processor: the use of the SCCs certainly facilitates the definition of measurable requirements for the choice of the contractor. From the document it is clear that, however: • the signing of the clauses does not relieve the owner of the obligations provided for by the Regulation; • the owner must always and in any case monitor the processing carried out on his behalf by the manager; • the clauses must be consistent with all contractual provisions. The Regulation remains the interpretative "beacon" of the contractual provisions together with the guidelines of the European privacy bodies, together with the interpretations coming from the competent institutions, both at Community and national level. Some special cases (Chapter III) The Document concludes by dedicating ample space to the examination of some situations already brought to the attention of the Guarantor and others that may find a possible key to interpretation, in analogy to the contents of those measures. Precisely from what has already been argued it is possible, in fact, to draw the main requirements that characterize and qualify the figure of the manager compared to the other figures who, with different nuances, assume relevant roles regarding the processing of data: owner, co-owner, manager, sub-manager, designated, authorized to process. In particular, many of the figures present, with different nuances, in our Privacy System are addressed: from evaluation and control bodies, to labor consultants, to providers of hosting services and IT assistance services, to the Regional Communications Committees up to the competent doctor. Of course, cloud service providers and the impact of the Schrems II ruling on international data transfer have not been overlooked . This story could be at a turning point in the event of positive (and conclusive) outcomes of the transatlantic agreement signed on March 25, 2022 between the European Commission and the Presidency of the United States, which hopefully should lay the foundations for a new stable legitimacy for cross-border flows of personal data. From the different qualification derives the different degree of autonomy and responsibility between the different figures and, consequently necessarily, the approach that the owner must have towards them always with the aim of ensuring the compliance of his organization with the principles of protection of individuals with regard to the processing of their personal data. ______________________________________ [1] The Network held its first meeting in Rome on 15 June 2018. Today it records the participation of the DPO of the main sector authorities and of some bodies that support their activity. [2] See art. 4, par. 1, n. 8 GDPR. [3] EDPS Opinion 5/2018, p. 8. Similarly ENISA (cf. ENISA 2015 Report, p. 50 ff.), according to which public services must act as a model by increasing the demand for solutions consistent with the principle of privacy by design, also in order to create a market for privacy-friendly services. [4] Cfr. Garante, Ordinanza ingiunzione confronti di Roma Capitale – 22 luglio 2021 [9698724], where "In relation to the profiles regarding the protection of personal data, it should be noted that the resolutions of Roma Capitale ..., with which the service in question was entrusted to Atac s.p.a, do not have the specific characteristics of the legal act that defines the role of the Manager, as they do not contain the elements provided for by art. 28 of the Regulation". It is also stated that "The failure to define the relationship with external subjects ... involved in the treatment, ... has resulted in the violation of art. 28 of the Regulation by Roma Capitale." (section 3.3, last paragraphs). [5] Guidelines 7/2020, footnote 42. [6] Guidelines 7/2020, point no. 103, Consistently, in the Provision of the Guarantor no. 9 of 14 January 2021, the processing of data is classified as unlawful in the absence of the designation of the manager. [7] Guarantor, Ordinanza Roma Servizi per la mobilità 11 febbraio 2021, n. 49 [8] By way of example, a checklist should verify at least the following aspects: a) the appointment by the Manager of a DPO; b) the adoption of procedures for the protection of the rights of the interested parties; (c) the training of employees working under its direction; (d) the written consent of such employees; (e) the drawing up of a register of processing operations; f) the adoption of suitable procedures for the management of any data breach (so-called data breach); (g) the adoption of security measures such as anonymisation or pseudonymisation; h) the adoption of penetration test and vulnerability testing procedures; (i) the possession of any safety certifications; l) the presence of a disaster recovery and business continuity plan , etc. [9] Think, for example, of art. 30, par.2 (obligation to keep the Register of processing activities), 32 (adoption of security measures), 37 (appointment of the data protection officer). [10] Reference is made to the Document which analyses clauses and annexes in detail. Especially: • Description of the processing and object of the Act. Purpose and duration • The obligations of the parties b) Security of the processing and organization of the responsible • b) Security of the processing and organization of the manager • The supervisory powers of the data controller • ) The use of sub-managers • The regulation of the transfer outside the EU of the data entrusted to the manager • The cooperation of the person responsible in the GDPR obligations • General standard contractual clauses (clauses 2, 3 and 4 SCC) Categories Digital PA Topics Dpo - Data Protection Officer Privacy Guarantor Gdpr Privacy DPO - Data Protection Officer RTD - Data Processor