Home
published on 26 september 2022 | reading time approx. 3 minutes
Four years after the entry into force of the General Data Protection Regulation ("GDPR"), 26 percent of companies are still discussing its implementation and only half of those who have integrated it consider that they are at an advanced level of compliance.
These figures can be explained in part by the technical nature of the GDPR and its grey areas. Supervisory or regulatory authorities, public authorities, business partners, marketplaces, suppliers, hosting companies, consulting professions, etc. Although there are only three categories in principle, the qualification of certain partners in the processing of company data is not always an easy task.
Legal persons who carry out or participate in the processing of personal data are qualified, depending on their level of involvement, as controllers, processors or joint controllers.
We will quickly set aside the question of "Authorised Third Parties", to which the CNIL ("Commission nationale de l'informatique et des libertés") has dedicated a practical guide. These are entities, generally public or with a public service mission, which are authorised by law to access certain personal data: the tax authorities, the administration of justice, the police and the gendarmerie, the public control authorities, court officers (bailiffs, lawyers, etc.), etc. These Authorised Third Parties, when acting within the framework of their legal mission, do not therefore enter into the debate on the qualification of a service provision relationship.
The CNIL and its European counterpart, the EDPB ("European Data Protection Board"), have published various guides and guidelines providing qualification criteria. Thus, the controller is the one who determines the "why" (purposes) and "how" (means) of the processing he/she has initiated. He has decision-making power and control over the data. In most cases, in a relationship between a customer and its supplier (accessing customer data), the customer is the controller.
The processor (or supplier) is an executor: an entity necessarily distinct from the controller, it carries out processing on behalf of the latter, in the context of a service (for example, an IT service provider). In particular, it keeps a register of processing operations subcontracted by its clients.
However, in some situations, it is not easy to determine which of the two partners is the controller and which is the processor. In particular, each of the actors often has a certain degree of autonomy, which makes this classification difficult.
Some criteria have therefore been developed to better identify them.
As these criteria show, the assessment of roles is quite subjective and very casuistic. The qualification of certain treatment actors cannot therefore be binary. This is why in certain cases and for certain processing operations, the two partners may be jointly responsible, i.e., they will jointly determine the means and purposes of the processing operation, sometimes at two different levels of intervention, and it will be up to them to divide their roles and responsibilities by contract. However, the CNIL points out that if the intervention of an entity is limited to the definition of means that are not essential to the processing, it will not qualify as a joint controller. In the latter case, each of the entities is responsible for the processing, according to its own role in the operation.
The CJEU ("Court of Justice of the European Union") issued an interesting ruling on the matter, qualifying the publisher of a website as jointly responsible with Facebook, even though it did not have access to the data collected for any exploitation.
This case concerned a website operator who had chosen to install a Facebook sharing button (the famous "Like" button) on his website in order to optimise his advertising on this social network. The installation of this Facebook plug-in resulted in the systematic transmission of the personal data of the site's visitors to Facebook, regardless of whether or not they were members of this social network or had clicked on the share button.
The CJEU ruled that by inserting such a social module, the publisher had a decisive influence on the collection and transmission of the data to Facebook, which would not have taken place in the absence of such an insertion and should therefore be qualified as jointly responsible with Facebook.
This decision, which may be surprisingly severe, has the merit of outlining the concept of joint controller, for which the Court recalls that it is limited to the processing operation or set of operations for which a joint controller effectively determines, jointly, the purposes and means. In this case, the collection and communication by transmission of data.
Finally, when the entities concerned are not in a subcontracting relationship or in a joint project under joint responsibility, but must nevertheless exchange certain personal data that they process in the course of their activity, in particular under a legal or contractual obligation (e.g.: a university and the Crous, a parent company and its subsidiary, etc.), each is autonomously responsible for its own processing, with one simply being a "recipient" of data collected by the other. We will not discuss this category of "Recipients", defined by the GDPR, as each entity must simply bring its own processing into compliance. However, let us not forget that, as part of the information due to data subjects, the company that collects the data first must inform them that the processing implemented requires the communication of all or part of their data to another recipient structure, by explaining in particular the purposes and the applicable legal basis.
Despite all these criteria and a priori a fairly clear distribution of possible qualifications, difficulties remain. A very frequent example is software publishers and other IT service providers. Their qualification, sometimes as subcontractors, sometimes as joint managers, is delicate and illustrates the grey areas of the GDPR.
The example of software publishers
It is generally accepted that when a company (or other legal entity) uses a service provider (and if the latter has access to some of the company's personal data), the former is the data controller and the latter is the data processor, who merely carries out, on behalf of the former, all or part of the processing operations set up by its client.
In this case, and except in the case of data anonymisation, the publisher of software that hosts or uses the data of employees or customers who are natural persons (payroll software, CRM, video surveillance, etc.) is presumed to be a subcontractor. This is particularly the case for business software, a customised tool that must be integrated into the client company's information system and adapted to specific needs.
However, most publishers offer standard "off-the-shelf" or "turnkey" software, which is offered to all their customers without any specific adaptation, other than a parameterisation. These solutions can be downloaded from the company's servers, or remotely, by connecting to a website or Internet platform. This is mainly the case for PaaS (platform as a service) or SaaS (software as a service) solutions. The publishers of such standard software are also often international groups, offering non-negotiable licensing conditions. Examples include the Microsoft Office 365 suite, and many accounting and CRM applications.
The customer is then offered a framework contract, including several standard services, depending on the case (licence, updates, hotline, but also data hosting, etc.), rarely leaving room for individual negotiation. It is then a so-called 'adhesion' contract, with the client (data controller) accepting the conditions (apart from financial ones) imposed by its supplier-publisher.
The customer does not therefore decide on the environment of this third-party software, in which it will store or transit personal data, encrypted or not. Nor is the customer in a position to give instructions to its supplier or to demand a personalised level of compliance. The balance of power in contractual negotiations is often not in the customer's favour. In these cases, the qualification of subcontractor could then be ruled out as far as the publisher is concerned, even though its own general terms and conditions of sale sometimes qualify it as a subcontractor.
However, the publisher would not be solely responsible for the client's processing, since it is the client who selects the software for the purposes of the processing he has set up and, consequently, the means that this tool offers him.
The parties concerned will therefore have to examine their respective relationship to the processing operation to determine whether the supplier remains a subcontractor or whether he can be qualified as jointly responsible with his client.
It should be noted that this third qualification must be assessed on a case-by-case basis and requires caution, insofar as the partners have rarely anticipated this co-responsibility and the case law, which is rare in this area, is still fairly nascent. In the case mentioned above, the CJEU found the website publisher and Facebook to be jointly responsible, even though it involved the insertion of a standard plug-in, made available by Facebook, whose general terms and conditions the website publisher merely accepted.
Because of the obvious contractual imbalance between these two companies, and since the collection tool was not designed jointly by the publisher and Facebook, there was reason to doubt the real degree of involvement and decision of the publisher in determining the means and purposes of this processing button.
However, the Court justified this qualification of joint liability by the fact that "since the objective of Article 2(d) of Directive 95/46 [(now replaced by the GDPR)] is to ensure, by means of a broad definition of the concept of 'controller', effective and comprehensive protection of data subjects, the existence of joint liability does not necessarily mean that the different actors are equally liable for the same processing of personal data. On the contrary, these actors may be involved at different stages of the processing and to different degrees, so that the level of responsibility of each of them must be assessed taking into account all relevant circumstances of the case.
In this case, the means of processing is the plug-in that the publisher decided to insert on its site, and one of the purposes of this processing is to optimise, for the benefit of this publisher, the advertising of its products by making them more visible on the Facebook social network when a visitor to its website clicks on the said button. Under these conditions, there was therefore a joint determination of these two elements by the publisher and Facebook. On the other hand, the CNIL, of which there is only one recent sanction decision on this subject, has retained the qualification of subcontractor concerning the company Dedalus Biologie, publisher of a standardised medical analysis software for laboratories.
In this case, the CNIL recalled the principle that "the concepts of controller and processor must be assessed in a concrete manner, taking into account all the elements that make it possible to attribute one or other of these qualities to an entity".
Analysing the facts but arbitrating in a rather terse manner, the Authority noted that "it is clear from the information provided that DEDALUS BIOLOGIE acts as a processor of the processing operations carried out on behalf of its clients, the laboratories, which are data controllers, insofar as it provides the laboratories with IT tools enabling them to carry out their processing operations and that it acts, in general, solely on the basis of their instructions".
Although a more detailed discussion would have been possible, as this is standard software, it can be seen that the characterisation of a service performed according to "instructions" given by a client has led to a classic qualification. This is proof of the highly casuistic nature of each case. Finally, it is still necessary to make a clear distinction between processing operations that the parties carry out jointly, or by subcontracting, and those that they carry out alone, on their own account, and for which their qualification will no longer be the same.
Whichever qualification is finally chosen, the data processors are jointly and severally liable, vis-à-vis the persons whose personal data are processed, for the compliance of the processing operations in question with the GDPR.
The victim of a data breach, which originates in a flaw in the processing in question, will therefore in principle be able to turn alternatively to one or other of the parties to obtain redress, although in practice he or she will more logically turn to the entity with which he or she is in direct contact, generally the controller.
The whole issue of qualification therefore lies in the contract that the two entities conclude between them, which must necessarily be in writing and provide for the way in which the responsibilities of each are shared. As the CNIL recalled in the above-mentioned Dedalus decision, "the obligation resulting from Article 28(3) of the GDPR incumbent on both the controller and the processor has no bearing on the existence of the processor's own responsibility".
Without a clear and negotiated division of responsibilities, it will be more difficult to establish which party is responsible for the damage and, consequently, which party should be exonerated from liability, in whole or in part.
The risk is then that the CNIL or the courts will take up this arbitration and impose sanctions if the partners have not anticipated the issue. The responsibility in this matter is heavy. In addition to the amount of damages that could be awarded to the victims of a data processing breach, the administrative sanctions incurred can be up to 20 million euros or, in the case of a company, up to 4 percent of annual worldwide turnover.
The many compliance issues that come before us show that, unfortunately, these processing partners rarely put the necessary agreements in place, or do so at a minimum, without really examining the situation in concreto, which is sometimes worse.
Compliance with the GDPR, when a processing operation involves the sharing of data between several actors, is therefore not to be taken lightly and companies must be assisted in drafting their agreements and negotiations relating to the processing of personal data.
Frédéric Bourguet
Associate Partner
Send inquiry
