Advice based on recent case law on data protection
Recent case law in the area of data protection has had its particular emphasis on fines for lack of a basis for processing personal data, in particular a sufficient consent, and the lack of technical and organisational measures, in particular deficiencies in access and access rights management. For example, on 6 February 2023, the Norwegian DPA imposed a fine of NOK 10 million (approximately EUR 900 000) on the SATS gym chain for failing to fully implement the rights of data subjects and for failing to inform its customers about the correct basis for processing personal data. There were also shortcomings, in particular, in the consent to the processing of training history data. Therefore, attention should be paid first of all to ensure that internal processes are designed in such a way that the requirement of the General Data Protection Regulation (“GDPR”) regarding data subjects’ rights can be implemented within the timeframe set. In addition, especially in the case of processing of health data, it should be ensured that consent has been obtained in accordance with the requirements of the GDPR.
While it is true, that the controller’s liability is based on compliance with the GDPR and the processor’s liability is based on compliance with the controller’s instructions in addition to the specific obligations of the GDPR assigned to the processor, there are still certain contractual issues related to responsibility for data processing. The basis for the allocation of responsibility is that each party is responsible for its own processing. However, the responsibility of the processor has become more factual due to the possibility of agreeing on responsibility in the personal data processing agreements. For example, if, at the same time as the controller is legally liable, but the division of liability is agreed with the processor so that the processor is contractually liable, then even if the controller is legally liable “outwardly”, it could still recover fees from the processor under a right of regression under the contract. This observation underlines the finding that, even if the controller is responsible for the processing as a whole, the processor should carefully pay attention to the responsibility clauses in the data protection agreements.
Practical tips for agreeing on processing of personal data
Here are some practical tips for agreeing on data protection issues based on currently seen practice. First of all, it is worth reviewing your company’s contracts to check whether they are up to date with the requirements of the GDPR. This includes, of course, all the necessary annexes to the contracts, for example, regarding data transfers outside the EU, impact assessments and a description of the processing activities. It is also a good idea to monitor and actively update these annexes as part of your everyday business activities. It would also be worthwhile to consider an internal process of implementation of these processes to your employees. This could be done by circulating the contracts through the data protection officer or the legal department. Another option would be to use more advanced templates which allows those with deeper knowledge and understanding of the business to more easily finalise and maintain the templates themselves without the extensive support of the data protection officer or the legal department. Intra-corporate transfers should also be considered and reviewed; if data is transferred abroad within a group, a personal data processing agreement should also be drawn up between group companies to comply with the GDPR.