CNIL Guide for Processors
France's Commission Nationale Informatique & Libertes (CNIL) has published a guide to assist the processors of personal data comply with the General Data Protection Regulation. It provides answers to 12 key questions:
1. Are you a processor in the meaning of the General Data Protection Regulation?
The guide specifically identifies, "IT service providers (hosting, maintenance, etc.), software integrators, cybersecurity companies or IT consulting companies" as processors under the definition given by the GDPR, but not software publishers or hardware manufacturers who do not have access to personal data.
2. Are you subject to the General Data Protection Regulation?
Processors will be subject to the GDPR if they are 'established' in the EU, or if processing is related to the offering of goods and services in EU, or monitoring of their behavior in the EU.
3. What is the primary change introduced by the General Data Protection Regulation for processors?
Contracts between a controller and processor must state the processor's obligation to protect the security and confidentiality of personal data.
4. What are your obligations from 25 May 2018?
A record must be maintained of any processing that is performed. Services should by default only collect data that is necessary for the purposes of processing.
5. Where should you start?
a. Determine if it is necessary to have a data protection officer.
b. Analyze contracts.
c. Record processing activities.
6. If I use another processor, what are my obligations?
"As a processor, you may only recruit another processor after obtaining written authorisation from your client."
7. Do the current contracts with my clients need to be amended?
Existing contracts had to be amended by May 25, 2018 to include the compulsory clauses specified by the GDPR.
8. What is my role in the event of a data breach?
Both clients and the authorities have to be notified immediately.
9. What is my role with regard to the impact assessment?
The controller, not the processor, must assess the impact of processing operations.
10. Am I able to benefit from the one-stop-shop mechanism?
A single country's supervisory authority may make decisions for entities conducting cross border processing.
11. What are my obligations if I am not established in the EU?
A body will be subject to the GDPR if it processes data pertaining to EU data subjects. A representative must be appointed to field the questions of EU authorities and the data subjects.
12. What are the risks if I do not comply with my obligations?
Liability for damages suffered, or administrative penalties of between 10-20 million euros, or 2-4% of "total worldwide annual turnover", whichever is higher.