Data controllers and data processors must work hand in hand to their mutual benefit. The importance of creating a mutually beneficial relationship is highlighted when considering instances of further processing by data processors for their own purposes. The French Data Protection Authority (CNIL) published statement in January this year providing guidelines for the foundation of such a relationship, and indicating the potential harm caused when the relationship is mismanaged. This article shall examine the steps required from a data processor and data controller in order to ensure the lawful further processing of data provided by a data controller for a data processor´s own purposes, to their mutual benefit.
Further processing by data processors for their own purposes
We have previously explained the differences between a data controller and a data processor, how to found a contractual relationship between them, the obligations of each of the parties towards each other and their obligations towards data subjects. The example we gave for a typical data processor – data controller relationship was the use of a cloud service provider by a company.
The cloud service provider acts as a data processor upon the instruction and on behalf of a company, being the data controller, using the cloud services. In theory the cloud service provider may only process the data upon the explicit instruction of the data controller, and only for the purposes it was collected for by the data controller.
In its statement CNIL also uses this example to illustrate what occurs in practice in such an instance. Aside from processing the data of the data controller as instructed, the data processor – the cloud service provider – also wishes to reuse the data provided for its own purpose, namely the improvement of its cloud computing services. But these are purposes for which the data controller did not originally collect the data.
This example is reflected every day in practice. Data processors, such as cloud or IT service providers, often reuse the data provided by data controllers for their own purposes, whether it be to improve their service offerings, create new products, or undertake various type of data analysis. This further processing is clearly to their benefit, providing economic advantages and leading to the further growth of their businesses. Usually the DPAs of such cloud service providers will include permission for them to process data for their own purposes. The onus is then upon the data controller to conduct the compatibility test explained below.
The danger of further processing by data processors for their own purposes
Further processing done without the authorization of the data controller endangers a data processor. It then constitutes a breach of its contract with the data controller in terms of Art. 28 of the GDPR, unless a national or European law requires the data processor to undertake such further processing. However, most of these further processing activities are unlikely to be necessitated by a national of European law. This endangers the data processor.
It also endangers the data controller. Data controllers remain ultimately responsible to data subjects for any processing of their data and are required to inform data subjects of all processing and the purposes of processing of their data upon collection of their data (read more about the information that must be provided under the GDPR). A data controller is unlikely to have collected data for the purpose of improving the products of its data processor, and thus is unlikely to have informed data subjects of such further processing or the purposes of such processing. When further processing then takes place, the data controller is in breach of GDPR stipulations.
What data controllers need to do
Firstly, if the data controller is aware that the data processor will process data for its own purposes, the data controller must conduct a compatibility test in order to decide whether it will authorize the data processor to process data for its own purposes.
A compatibility test (see below) is required as data may not be processed further, regardless of by whom, if the purposes of such processing are incompatible with the original purpose for which the data was collected (Art. 6(4) GDPR). As the party collecting the data, the data controller remains responsible for the compatibility of the purposes of any further processing with the original purpose.
Secondly, the data controller must authorize the data processor in writing to process data for its own purposes. The authorization may be included in the services agreement or the data processing agreement that is signed between the parties. It may not however be a general authorization which allows the data processor to process data for any of its own purposes. The authorization must be tailored for specific purposes of the data processor which the data controller has deemed to be compatible in the manner described below.
Thirdly, the original controller must inform the data subjects about the uses of their data by the data processor for subsequent purposes and their rights in relation to this, unless the data processor takes on this duty in a manner beneficial to both as described below.
The compatibility test
The data controller must conduct a compatibility test before authorising the data processor (Art. 6(4) GDPR). The test assesses whether the further processing by the processor is compatible with the initial purpose(s) for which the data was collected. The data controller must establish whether there is a “link between the purposes for which the personal data have been collected and the purposes of the intended further processing.” In terms of Art. 6(4) GDPR the controller shall also take into account, inter alia:
- “the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
- the possible consequences of the intended further processing for data subjects; and
- the existence of appropriate safeguards, which may include encryption or pseudonymisation”.
The CNIL statement clarifies if a further processing purpose is deemed incompatible then the data controller must refuse to grant authorization for the re-use of the data. Each further processing purpose must be tested for compatibility. A general authorization is thus not possible.
What data processors need to do
Firstly, a data processor re-using data for its own purposes should seek the authorization of the data controller as described above.
Secondly, the data processor may only process the data further if the purposes of such further processing have been deemed compatible by the assessment of the original data controller as described above.
Thirdly, the data processor should note that it has become another data controller in regards to that data. Thus, it must fulfil all the obligations of a data controller in regards to the data subjects. This includes the following:
- ensuring that the further processing serves a well-defined purpose;
- ensuring that the further processing has a legal basis appropriate to that purpose;
- limiting the data collection to the minimum required for that purpose;
- allowing the exercise of the data subject rights, such as the right to object;
- putting in place all necessary security measures; and
- informing data subjects of the further processing.
In practice, the notification of data subjects raises difficulties, as the data processor may not be in contact with the data subjects.
Fourthly, the data processor should therefore share the obligations of the GDPR with the data controller as indicated by CNIL in its statement.
Sharing the obligations of the GDPR
Data controller and data processor should work together to ensure that the further processing purposes are compatible with the original purpose for which the data was collected. Instead of creating tension amongst the parties because they cannot agree whether a further purpose is linked sufficiently to the further purpose, they should strife for a dialogue and open communication regarding the needs of each. In practice this may be difficult as some data processors do not engage directly with their clients, but then a different service provider should be considered.
As stated above the original data controller is, in principle, also responsible for informing the data subjects upon collection of their data about the transfer of data to a new data controller, i.e. the data processor using the data for its own purposes. This is burdensome on the original data controller. It is therefore advisable in instances where the data processor has the possibility of contacting data subjects directly for the data processor to relieve the original data controller of this burden.
This benefits both parties, as the original data controller does not have to provide information on processing it itself does not undertake or instruct to be undertaken, and the data processor (the new data controller) ensures it obligations under the GDPR are fulfilled.
In instances where the new data controller does not have direct contact with the data subjects, the original data controller in an effort to ensure a mutually beneficial relationship may inform data subjects of the further processing on the new data controllers behalf. In order to facilitate this the new data controller must naturally provide all relevant information regarding the processing and its purposes to the data controller.
This solution ensures the obligations of the GDPR are met for both parties, the original data controller benefits from the services of the data processor and the data processor, in its capacity as new data controller, receives the benefits of the processing it undertakes for its own purposes.
Conclusion: Mutual benefit is reached by real cooperation
Data controllers and data processors must be cognizant of each other’s needs, and take the above-mentioned steps to cement a mutually beneficial relationship. A relationship wherein the data controller receives the benefit of processing by the data processor, and the data processor receives the benefit of the insights derived from the data controller´s data, while ensuring that harm comes to neither party.