The Danish DPA has published guidance for data controllers on monitoring data processors, with suggestions based on risk assessment.
The Danish DPA published guidance last month, for any private company, public authority or institution, processing personal data, or functioning as a data controller, on how to best monitor their data processors. These data processors are essentially external bodies who process information on behalf of the data controllers, and are oftentimes in possession of personal data and other sensitive information. It is imperative that processors handle this information as they are supposed to, and data controllers can monitor their respective processors to ensure that this is the case. This is important, as ultimately data controllers are held responsible for the data.
Data controllers have a responsibility to ensure that their data processors are processing the information properly.
In the relationship dynamic between a data controller and processor, the data controller decides why (for what purpose) and how (with what aids) the personal data is processed. A data processor, on the other hand, is the one who processes personal data on behalf of the data controller – i.e. following an instruction from the data controller. The data controller is oftentimes held responsible for the data and its use, as well as any mishaps which may occur regarding the data and its processing. As a result, it is imperative that data controllers monitor their data processors handling the data of their clients, customers or other data subjects.
The Danish DPA has suggested six different approaches to monitoring data processors, based on the level of risk.
In light of the importance of data controllers supervising their respective data processors, the Danish DPA has provided guidance for controllers regarding how, and how much they should supervise. The guide answers many questions on how much supervision is necessary and how it should be carried out. In addition, it provides a helpful approach of following guiding supervisory concepts, to help gauge the level of risk associated with the processing of certain data. Based on the level of risk, the guide from the Danish DPA suggests six different approaches to supervision, ranging from a very low risk supervisory approach to very high risk. These are outlined here:
Concept 1 (very low risk)
Do not do anything unless you become aware that something is wrong with the data processor.
The data processor confirms – preferably in writing – to you that all requirements in the data processor agreement are still complied with.
The data processor gives you annually – either directly or via its website – a written status of matters covered by the data processor agreement and other relevant areas (e.g. organizational or product changes).
The data processor has a relevant and updated certification or follows a so-called code of conduct that is relevant to your processing activities.
An independent third party has conducted documented supervision of the data processor in an area that also covers your processing activities.
Concept 6 (very high risk)
The data controller carries out a documented inspection of the data processor themselves – or together with others.
Deciding which approach would be appropriate in each data controller’s situation is important and would be determined based on the level of risk associated with the data being handled by the processor. However, some level of supervision of one’s data processor is necessary in every case. It then becomes important to assess the level of supervision necessary and to conduct supervision as needed.