From marketing campaigns to software for personnel and customer management, from paper and file shredding to outsourcing the data centre to a cloud provider – almost all companies use external service providers for their daily tasks. In terms of data protection law, these providers are usually processors, which is why the strict provisions of Article 28 of the GDPR must be complied with and a processing contract must be concluded with binding specifications. One of the core provisions here is that data may only be processed by the processor on the basis of documented instructions from the controller and that the processor may not use the data for its own purposes.
However, this principle is in tension with the interests of the processor, who would usually like to use the data for its own purposes, for example, to improve the services or products it offers or to design new services. Therefore, exceptions to the above principle may be made subject to compliance with certain prerequisites. Based on guidance on this issue published (only in French) by the French data protection supervisory authority Commission Nationale de l’Informatique et des Libertés (CNIL), we take the opportunity to look at the prerequisites and conditions for further processing that must be complied with in this context.
1. Written permission from the controller
The basic prerequisite for further processing, i.e. the further use of data by a processor for its own purposes, is permission from the controller. The latter must carefully examine whether further processing is compatible with the purpose for which the data were originally collected.
According to the CNIL, the following aspects must be taken into account:
- It must be checked whether there is a correspondence between the purposes for which the personal data were collected and the purposes of the intended further processing.
- Consideration must also be given to the context in which the personal data were collected, particularly with regard to the relationship between the data subjects and the controller.
- The type of personal data is also important, especially if the data are sensitive data (e.g. health data) or personal data about criminal convictions and offenses.
- The consequences for the data subjects of the planned further processing must also be weighed.
- Finally, it must also be checked whether suitable safeguards (e.g. encryption or pseudonymisation) are in place.
For example, CNIL mentions a processor that wants to reuse data for the purpose of improving its cloud computing services. Provided that appropriate safeguards, such as anonymisation of the data in the best case, are in place, the further use might be considered compatible with the original processing. The use of the data by the processor for the purpose of commercial advertising, on the other hand, is generally not compatible with the original purposes. In this case, the controller may not give consent for further use.
In its handout, the CNIL mentions two other conditions regarding the permission of the controller: On the one hand, since an examination in this regard must be carried out for each specific case, no prior or general authorisation for the further use of data may be granted. On the other, since the GDPR requires a contract or other written legal act, the respective authorisation must be granted in writing.
2. Informing the data subjects
In principle, the previous controller has to inform the data subjects about the transfer of the data to a new controller. In particular, the information must also contain details of whether it is possible for the data subject to oppose disclosure. However, if the processor already has the contact details of the data subjects, the controller may also entrust the processor with this task.
3. Compliance by the processor with the legal requirements
As the new controller in the terms of the GDPR, it is subsequently the responsibility of the former processor to process the data in accordance with the provisions of law. In particular, the processor must:
- ensure that further processing serves a clearly defined purpose and is based on a legal basis appropriate to that purpose;
- inform the data subjects in accordance with the requirements of the GDPR;
- comply with the principle of data minimisation by means of appropriate retention periods and deletion concepts;
- allow the exercise of the various rights of the data subjects; and
- take appropriate technical and organisational measures to ensure the security of processing.
4. Delimitation of own and joint responsibility
Overall, when examining further processing by the processor, care should also be taken to distinguish this from the processor’s own responsibility, as the boundaries are fluid here even within a contractual relationship. For example, the collection of user telemetry data by the processor’s software is not commissioned processing, but is the processor’s own responsibility. In this context, with a view to the European Court of Justice’s extensive legal rulings on joint and several liability, it must be examined in detail whether such joint and several liability can be considered in the present case.
Further processing of data by the processor for its own purposes may only be carried out in compliance with strict prerequisites, but is by no means impossible. However, both the controller and the processor should inform themselves in advance about the respective complex legal requirements and ensure a clear distribution of roles, especially when informing data subjects. In order to avoid errors during further processing that can lead to severe fines, legal expertise should be obtained in cases of doubt.back