How subcontractors can reuse data: this is possible only under specific conditions, which CNIL has outlined with specific context.
Under the GDPR, there are several conditions which need to be met in order for subcontractors to reuse data provided to them by the data controller. French regulator; CNIL has outlined the context under which the reuse of data is allowed by the subcontractor. A data processor is typically meant to process data at the request of the controller, and never for their own purposes. However, in some cases a subcontractor may wish to reuse that data for a specific purpose such as improving its products or services. In these cases, a controller may authorize a subcontractor to reuse the data for its own purposes, only if several conditions are met. CNIL has outlined these conditions in a recent article. It is important to note that the processor would become responsible for this new processing once authorised to reuse this data for its own purposes.
Before processing by a subcontractor can begin, a compatibility test must be run.
Before any “subsequent processing” or processing which follows the collection operation (and for purposes other than that of the initial collection) can take place, the data controller must run a compatibility test. The purpose of this test is to determine whether this further processing is compatible with the purpose for which the data was initially collected. In testing this, the data controller would consider the possible existence of a link between the purposes for which the personal data was collected and the purposes of the subsequent processing intended. Other relevant factors include the context in which the personal data was collected as well as the nature of the personal data. It is also necessary to consider the use of appropriate safeguards, which may include encryption or pseudonymization. This compatibility test must be carried out for a specific processing operation, taking into account the purposes and characteristics of each processing operation for which the subcontractor wishes to reuse the data. The data controller is then free to give consent or not, only if the results of the test were satisfactory.
Authorization for the reuse of data must be in writing, and the data subjects must be informed by the controller.
The GDPR dictates that a contract or any other written legal act must be drawn up to regulate the processing implemented by a subcontractor. This includes electronic format. In addition, the controller must ensure that data subjects are adequately informed of the reuse of their data for new purposes. In particular, the controller must indicate whether it is possible to oppose it. In practice, it is recommended that the initial data controller provide, if possible, all the information on the processing. The controller may delegate this task if the subcontractor already has the contact data of the persons concerned.
The responsibility of ensuring the compliance of the subsequent processing rests on the subcontractor.
The subcontractor is responsible for ensuring that the new processing is compliant with the GDPR. If this subcontractor fails to do so, they may be sanctioned by CNIL. They must ensure that the data is processed within regulation, and also only for the intended, and compatible purposes for which the written consent was given. As the controller of further processing, they must ensure that it meets a well-defined purpose and is based on a legal basis adapted specifically to this purpose.
CNIL’s article made specific mention of defining an adequate retention period and ensuring that data subjects are provided with information on any indirect collection that has not already been provided by the initial controller (subject to applicable exceptions). Also particular attention needs to be paid to ensuring appropriate security measures, data minimisation and overall maintaining the protection of the rights of data subjects.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.