As an independent privacy professional I work with insurance, healthcare and financial companies in the EU, UK and US. My clients process huge amount of sensitive data. What I have noticed, and what I would like to drive your attention to, is data processing agreements (DPAs) with vendors who doesn’t actually process any personal data. This may lead to a huge data breach and violate data subject’s rights because:
1 - Some tech vendors, who are professionals in technology, may be granted with unnecessary access to personal data (when controller has no legitimate interest or other legal basis for data disclosure to a third party). The vendors usually don’t need this data for services. To avoid this unreasonable data dispersion, it should be pseudonymized, anonymized or encrypted by the controller.
Actually, the technology, which allows hiding personal data from data recipients, will be a silver bullet against GDPR applicability to these relations, but such technology needs further development and it costs a lot.
2 - The controllers largely rely on DPAs, which doesn’t reflect actual relationships— due to the common idea that GDPR requires all controllers to enter into DPA with every single vendor, and that all vendors are data processors, even they only have an unintended access, without performing of any processing activities.
To be honest, many reputable experts and advisors recommend signing DPAs, because they believe that this protects their clients from risks. In fact, it leaves their clients absolutely unprotected because “empty” DPAs (without actual processing behind) are null and void from the beginning.
In this case disclosure of data under void DPA officially becomes a data breach caused by controller’s negligence. Please take in consideration that access to personal data is not listed in Article 4 (2) of GDPR as a type of processing activity.
Of course, “provision of access” or “disclosure” are processing activities, being operations on personal data. However, when someone gets access to personal data – it is not always a performance of an operation on personal data, not always an action or even a voluntary action of data recipient.
Also controllers use DPAs, as far this doesn’t cost anything, whereas security measures cost a lot. Also vendors become responsible for implementation of huge lists of security measures, despite the fact that they have nothing to protect in their filing systems. Controllers prefer to save money and disclose the data to vendors, putting a formal DPA in that place, where security measures must be.
Elsewhere, big corporations use their superiority over the vendor to shift risks on to the vendor’s side using DPAs. That’s why controllers usually impose full liability, indemnification and insurance obligations on vendors in DPAs. Due to bidding procedures these conditions become non-negotiable and vendor becomes responsible for data which it even doesn’t need to access.
As a result, controllers are forcing vendors to access data instead of keeping it confidential. The controller doesn’t notify data subjects about disclosure of their data to such vendors, because every vendor and notifications will become a spam attack.
Further, a lack of information about provision of access to third parties can take personal data out of the data subjects’ control, leaving them in the dark and violating their privacy rights. Particularly the right to control dissemination of their personal data.
All of this scenario dramatically increases the risks of data leaks, and violates data subjects’ rights.
Also, affiliates on the vendor side usually don’t enter into mirroring DPAs with the vendor, but they have access to client’s personal data without implementation of necessary security measures. My recommendations are as follows:
- Controllers may continue to rely on Non-disclosure agreements, amended with all kinds of obligations and security measures they need. They should stop imposition of processing obligations on vendors without necessity.
- Controllers must avoid providing an access to vendors having no legal basis for provision access to the recipient.
- We need official clarifications from data protection authorities on risks of formal DPAs without actual processing; essential conditions of “documented instructions” and way of offer/acceptance of them, options for negotiation and objection against instructions, possibility of suspensive conditions, retribution and taxation of DPA; is DPA a real or consensual contract; is data processing a bilateral obligation?