The first fine against a data processor under the General Data Protection Regulation 2016 (“GDPR”) has been imposed by an EU data protection authority.

Although the non-compliance took place in Italy and the fine was only for EUR 50,000, it’s a timely reminder to data processors here in the UK of their direct statutory obligations under the new data protection regime.

Prior to the GDPR, the position in the UK (and most other EU Member States) was that only data controllers were subject to statutory obligations under data protection law. Data processors, on the other hand, were not at risk unless they breached their obligations under contract law (i.e. any contractual data protection obligations imposed upon them by the data controller).

The GDPR changed all this this by imposing certain direct statutory obligations on data processors at an EU-wide level. This means that data processors, as well as data controllers, are subject to the GDPR’s enforcement regime (including the potentially eye-watering fines). It also means that data subjects may be able to bring direct claims for compensation against data processors.

The main statutory obligations that apply to data processors under the GDPR are:

  • Data processors must only process personal data in accordance with the data controller’s instructions (unless otherwise required by law). If a data processor acts outside its instructions, it will become a controller for the purposes of that processing.
  • Data processors must enter into a binding contract with the data controller and that contract must contain certain mandatory provisions.
  • Data processors must not appoint a sub-processor unless they have the authority of the data controller to do so. Also, any contract with a sub-processor must include contract terms that offer an equivalent level of protection for the personal data as those in the contract between the data processor and the data controller.
  • Data processors must implement appropriate technical and organisational measures to ensure the security of personal data (taking into account, in each case, the level of risk involved in the processing).
  • Data processors must notify the data controller of any personal data breaches without undue delay.
  • Data processors may be subject to obligations to keep records of processing and/or appoint a data protection officer. Both these requirements only apply if certain criteria are met.
  • Data processors can’t transfer personal data outside the EEA unless the transfer (i) is authorised by the data controller and (ii) complies with the provisions of the GDPR relating to international transfers of personal data.

In the Italian case, the data processor’s non-compliance related to a failure to implement appropriate technical and organisational security measures to protect personal data. The Italian data protection authority (the Garante) had issued specific instructions regarding the security measures that the data processor needed to put in place and issued the fine when the data processor failed to comply. Interestingly, the Garante only fined the data processor, not the data controller.

If you’d like more information about the direct statutory obligations imposed on data processors under the GDPR or if you need guidance to work out whether your business is acting as a data processor, please contact a member of our Commercial Team.