I’ve felt a bit uninspired these past few weeks, and simply got writer’s block from being too immersed in the subject. I’ve been working non-stop on GDPR projects and somehow I didn’t feel I could get myself to write another interesting or useful post about the subject. Everything seemed quite recycled, already tackled. This week however inspiration came through a question posted in a group which I am part of which seems to be a common theme and one which many are struggling with at the moment.
Before reading this a small disclaimer: Please do keep in mind though that I am no Privacy expert and neither a lawyer.
Where does that leave me and with that liability? I appreciate I can make it part of my terms and conditions which is easy going forward but what about existing clients? Is it possible to exempt myself as a data processor if the controller signs a waiver of some kind? Would this be legal under GDPR?
Let’s start with going through Article 24. I took the liberty of highlighting the parts that are pertinent to my arguments.
It is the Controller who knows what data they are collecting, the purpose of their website and what the personal data (if any) is being processed for. This also means that it is the Controller that needs to determine whether there are any risks associated with the data they’re collecting and ensure that the appropriate safeguards proportionate to that risk are in place.
As a Processor we wouldn’t be able to make this determination. In addition the Controller might not be servicing data subjects in the EU even if they are hosting their website with you.
Moving on, Article 28, clearly states that the relationship between the Controller and the Processor needs to be governed by a legal document such as a contract, listing the responsibilities of both parties.
In the case pertinent to our question my recommendation here is to draw up a Data Processing Agreement (DPA) clearly stating what you as a Processor are responsible for and what they as Controllers are responsible for. Then have all your clients, both old and new, sign it.
The DPA should clearly define that the Controller is responsible for determining the risks the personal data they collect might have on the individuals as well as that as a Processor you are responsible for the data from when the data arrives to you. That is, since you’re hosting, you need to make sure the back-end is secure. That you have access control, that your employees that access the data have been vetted, trained and really need to have access etc…
With reference to the privacy notice on the website, it is up to the controller to determine whether they need it or not. I will not get into the argument of “every website should have that as most of them use analytics of some sort”, just stating that it is their responsibility to determine.
In terms of the SSL certificate, we all know that this comes at a cost and as a Processor you are right to recommend and offer that. However what SSL does it creates an encrypted tunnel through which the information passes from the user browser to the website server. As a processor you are responsible from the Server onwards that is when the data arrives. The collection, what is collected and how it is collected is at the mercy of the Controller and as a Processor you have no control over that.
Caveat: I here am assuming that you are only hosting and not managing their websites as well. That would be slightly different – Remember that the determination of whether we are the Controller or the Processor changes depending on the Processing activity as do our responsibilities.
To answer the last part of the question – Is it possible to exempt myself as a data processor if the controller signs a waiver of some kind? Would this be legal under GDPR? – Let’s have a look at Article 79.
There is no waiver or legal document however that would prevent a data subject from directly suing you as a processor or from any investigation or administrative fines by the Supervisory Authority.
That means that you can have a document/waiver that states that the Controller will not sue you for damages/fines they incur arising through their non-compliance of GDPR, whether these fines/damages are inflicted by the authorities or directly through being sued by a data subject. However there is nothing stopping the data subject seeking judicial remedy directly with the Processor or the Authorities from investigating and fining accordingly.
The Action Points
- You can protect yourself, by listing the responsibilities of the Processor and the Controller in the Data Processing Agreement to be signed by both parties.
- You should keep a record of any recommendations that you make to the Controller and
- You can also have a waiver drawn up so that the Controller indemnifies you from themselves or their 3rd parties.
This post was a pleasure to write and should there be any more questions like this, that you’d like me to answer I would definitely give it a shot.