The GDPR will inevitably impact a larger number of companies than before. The GDPR will indeed apply to any business that acts as a data controller or a data processor and that offers goods or services to individuals located in the EU, irrespective of whether such business is physically located in the EU (see I). Moreover, the GDPR imposes many new obligations on both data controllers and data processors, triggering a real shift in their respective responsibilities. This will entail major consequences for a large number of European as well as non-European companies (see II) and create new challenges that many businesses will need to address in the near future (see III).
(I) Businesses without establishment in the EU may fall under the scope of the GDPR
The GDPR will apply to both EU and non-EU companies which i) process personal data in relation to the offering of goods or services to EU data subjects or ii) monitor individuals’ behaviours that occur within the EU. The concepts of personal data and processing remain very broad since personal data include any kind of information (i.e., location data, online identifier…) that, even indirectly, allows for the identification of a person. In addition, and contrary to what is generally expected, the mere hosting, storage, or even the erasure or the destruction of data amount to processing of such data.
Companies are considered to target EU citizens if one or more of the following criteria are met: the use of a language or a currency generally used in one or more Member States with the possibility of offering goods and services in that other language, and/or the mentioning of customers or users who are based in the Union. On the contrary, the mere fact that a website of a non-EU-based business is accessible from the EU is not a determining factor.
This will significantly broaden the scope of the GDPR, which will now clearly encompass all websites and app’s tracking EU citizens’ digital activities, i.e., by making use of tracking cookies.
(II) New and enhanced obligations for both data controllers and data processors
The GDPR has not amended the definitions of the terms ‘data controller’ and ‘data processor’. The former remains defined as the entity “which, alone or jointly with others, determines the purposes and means of the processing of personal data”, while the latter is the entity that processes personal data on behalf of the controller. This included, for instance, a cloud computing service provider.
A significant development is that the GDPR expressly addresses the processing of personal data both by data controllers and data processors (under the conditions described above).
In addition, the data processor that would have determined itself the purposes and means of the data processing shall be considered to be a controller with regard to that specific processing. Besides the fact that this blurs the boundaries between controller and processor, it also lowers the threshold for triggering the application of the provision on “joint-controllership”, thereby subjecting the processor-turned-controller to enhanced responsibilities.
The GDPR further imposes more stringent obligations on data controllers. As a matter of principle, data controllers bear the responsibility for ensuring that the data processing complies with the key principles of the GDPR. In this respect, data controllers will now have to keep records of processing activities carried out under their responsibility, including all information that can demonstrate compliance of the data processing with the GDPR.
With regard to data processors, there will be a greater shift in liabilities. Indeed, for the first time data processors will have direct obligations vis-à-vis the data subjects, whereas before they were merely responsible vis-à-vis the data controller. Just as the data controller, the processor can be subject to fines for non-fulfilment of those obligations. For instance, data processors, just like data controllers, must implement technical and organisational measures to ensure the security of the processing. In addition, the data processor must immediately inform the data controller about any security breach that would have occurred in relation to the processing. By the same token, the processor must keep a record of all data processing activities that it carried out on behalf of the controller.
Finally, both the data controller and the data processor must cooperate with the supervisory authority during their performance of the tasks. Hence, the data processor might also be required by the supervisory authority to meet the data subjects’ requests when they exercise their rights.
Lastly, the GDPR sets forth more extensive requirements that must been reflected in a contract between the data controller and the data processor. While there is already an obligation to have an agreement between them in writing under the previous Directive, these requirements are more significant in the new regime. The data processing agreement must indeed stipulate that the processor respects its regulatory obligations as regards confidentiality, security and sub-processing. The agreement must also enshrine the processor’s obligations to delete or return all the personal data, at the choice of the controller and to assist the controller (i) in ensuring compliance with the controller’s obligations with respect to security and prior notification; and (ii) in taking technical and organisational measures for the fulfilment of the controller’s obligation to respond to data subjects’ requests. However, no transitional provision has been adopted in this respect, putting all the existing data processing agreements at risk and compelling the parties concerned to renegotiate their contracts.
(III) Coming challenges
From the foregoing, the practical implementation of those new legal requirements appears to be challenging. For example, the new processor-controller joint-responsibility for security breaches will imply that the processors must conduct risk assessments for each intended data processing. Moreover, data processors will no longer be able to cap, with respect to all, their liability in this regards, as the regulatory authority will now be entitled to fine them directly. Furthermore, data processors acting on behalf of several controllers because, for instance, they offer outsourcing services to several companies will also have to manage their fulfilment of their numerous contractual obligations under those distinct processing agreements. Finally, data controllers will need to more carefully select their suppliers to ensure that the latter process personal data with caution and diligence. Data controller will also eventually need to organise audits so as to ensure compliance of the processing with the principles of the GDPR. One “tricky” obligation the data controller must fulfil is indeed to demonstrate that it has chosen a data processor that provides “sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of the GDPR”. It is to be expected that the GDPR will only enter into effect in two years’ time. This period however appears to be a minimum period that companies will need to come to terms with their new obligations.
