Unfortunately, there are no completed risk assessments that every company can refer to to ensure the new requirements are met. Each company must therefore document that it has assessed the risks of the supplier’s information security and data processing agreement in addition to the additional requirements that the transfer of personal data to “third countries” (countries outside the ‘EEA) implies.
Fear of big fines
Companies fear violations of privacy laws and the infamous fines that can follow. Amazon Finn was recently fined NOK 7.8 billion. The concern is therefore very rational and understandable, given the regular fines.
There are obvious challenges associated with the desire of companies to have access to certain types of technologies and services, and the desire to comply with regulations at the same time (to be “GDPR compliant”).
We’ve put together some tips that can make it easier to assess whether a provider can be used in a GDPR-compliant way.
In general, it is recommended to make an overview for each individual provider that documents the assessments and investigations that have been carried out in accordance with the GDPR. Below are 7 more specific tips – a simple to-do list for each vendor you want to share personal information with.
1. Find information on the processing of personal data by the provider – is the data security sufficient?
Above all, it is important to obtain information on how the provider processes personal data, and in particular in relation to the service concerned. Document that the information security offered by the provider is sufficiently good with respect to the intended processing of personal data.
Describe what the intended use is with respect to the processing of personal data and note what type of personal data will be processed for whom. If health information and other special categories of personal data are to be processed, stricter requirements are set for the security of the information. Stricter requirements are set for vulnerable groups such as minors and employees.
Make a note of the websites that have been read and at the same time include positive safety information, eg. two or more factor authentication, anonymization information, pseudonymization and/or encryption. It is also beneficial to explain privacy-friendly settings, e.g. a setting that limits data storage to data centers within the EEA. Another example is that the company decides to use IP anonymization only with the Google Analytics tool to prevent personal data from being processed by Google.
2. Clarify the basis of processing – do the company and the provider have a legal basis?
In order to be able to process personal data in accordance with the GDPR, companies must assess whether there is a legal basis for the processing that can be used.
There are six grounds: The company may process personal data in accordance with the law (work environment law, personal data law, etc.), agreement (employment contract, customer agreement, etc.) , consent, vital interests (to save lives, etc.), exercising public authority (municipal or state activities) or having a legitimate interest (must have carried out a balance test and offer the possibility of registered protest).
It should also be noted what type of legal processing basis the provider has. If the provider is only to process personal data on behalf of a Norwegian company as a customer, the provider must be a processor who only processes personal data on the basis of an “agreement”. Such agreement should be the Data Processor Agreement.
If the supplier does not consider itself to be a processor, it should be considered whether the supplier agrees to be jointly responsible for the processing with the customer. Foreign providers who, together with a Norwegian customer, decide on the purposes and means of the processing of personal data, must inform the users to whom the personal data applies that they are joint controllers with contact details for each other for any questions.
3. Assess the data processing agreement – are the content requirements met?
If a data processing agreement has been entered into or is to be entered into with the provider, this should be reviewed to ensure that it meets the content requirements of such an agreement. The Norwegian Data Protection Authority has prepared good guidelines on both when an agreement should be made and what it should contain.
In particular, check whether the agreement defines a clear framework on what the subcontractor can do with the personal data and whether it contains sufficient information on the supplier’s subcontractors and IT security.
4. Review where the vendor with sub-processors processes data – which countries?
Although many providers provide information on where they process personal data, it is not always clear from the information available on their services that this always involves the transfer of personal data to third countries. . For example, sometimes the use of a cloud service involves transfer/storage in a third country, or the use of support for a service results in a transfer.
In order to be able to assess whether personal data is adequately protected, it is essential to have an overview of this, as well as what applies to the supplier’s subcontractors (data processors) for the service.
To access this information, it is often necessary to ask questions directly to the supplier. A good question is whether it is understood that the supplier with the subcontractor only processes data in EU / EEA countries.
5. Find a suitable transfer base – are the additional requirements met?
If the use of a service involves the transfer of personal data to third countries, it is necessary to identify the countries concerned. A few countries are safe and the European Commission has approved e.g. Israel and private companies in Canada. UK can also be used until further notice.
For the United States and other non-secure third countries, a valid transfer base is required. Make sure to follow the guidelines of the Data Inspectorate and the recommendations of the EU Privacy Protection Board (EDPB) regarding transfers to third countries.
One solution is suppliers who have been granted Binding Trade Rules (BCRs). These providers may transfer data within their group to unsecured third countries.
Another solution is for the provider to use Standard Privacy Rules (SCC) for such transmission. From June 4, 2021, the new SCCs have a final use-by date in September. This means that many may now need to update existing agreements.
Following the judgment in Schrems II, it is no longer enough to have a basis for transfer. Each company must also carry out investigations and risk assessments to determine whether the level of protection is sufficient in relation to the country in which the supplier is located.
On 18 June 2021, the EDPS updated his November 2020 Recommendation on the additional measures that need to be implemented to ensure adequate protection. Note the type of additional measures the supplier offers or promises, e.g. this is a “Data Processing Addendum” of the provider where such measures are informed.
6. Assess the privacy risk to data subjects – is a DPIA necessary?
For certain types of personal data processing, a Privacy Impact Assessment (DPIA) is required. It must be completed before the start of treatment, and it should therefore always be investigated whether the treatment in question requires such an assessment.
Document therefore that one has considered whether DPIA should be carried out. For instance. the use of a service with artificial intelligence that treats particularly vulnerable groups registered as employees or minors will trigger the obligation to carry out a DPIA.
If the DPIA carried out does not conclude that the risk reduction measures will reduce the risk of high for registered persons, a meeting with the Data Inspectorate should be arranged to further assess the service or to be on the safe side – do not use the service.
7. Get to the bottom of the issues – ask the supplier if there are any discrepancies
In some cases, it may be demanding to find good information on the websites or in the contractual conditions of the supplier. We recommend that, based on the results from 1 to 6, the deviations be collected, that is, what is not sufficiently documented for the customer to conclude an agreement with the supplier, and send it together to the supplier.
Most vendors are happy to ask questions, as positive responses can mean new customers and increased profits. Supplier responses can be an additional appendix to internal company documentation that shows GDPR minimum requirements have been met.
More details ?
To avoid fees such as Amazon and many others have received, we recommend that you do risk assessments in advance to document what has been assessed and done.
The article is written by assistant lawyer Malin Rapp Færder and partner/lawyer Magnus Ødegaard, Law Firm Bing Hodneland DA.