When an IT company acts as a service provider, it can either be in the position of Data Processor or Data Controller. In any case, the preferred position for any entity is to be a data processor because there are fewer GDPR obligations for data processors.
When GDPR entered into force back in 2018, there were numerous changes in the system of personal data processing as well as several new obligations that controllers and processors are obliged to comply with when processing personal data on any basis.
What is Personal Data
Personal data is information related to an identified or identifiable individual. Information about companies or public authorities is not personal data.
What identifies an individual could be a name or a number or could include other identifiers such as an IP address or a cookie identifier.
If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
If you cannot directly identify the individual from that information, then you need to consider whether the individual is still identifiable. You should consider the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
Information that has had identifiers removed or replaced in order to pseudonymize the data is still personal data for the purposes of GDPR.
Information that is truly anonymous is not covered by GDPR.
GDPR has established seven key principles which should be basic in everyone’s approach to process personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
If your company wants to avoid fines, it should be 100% compliant with the above principles. GDPR explicitly states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.
The lawful basis for data processing is:
- Legal obligation
- Vital interests
- Public task
- Legitimate interest
In the specific case of IT service providers, the main basis for data processing is the contract signed with the client (a data controller) with all the conditions of cooperation regarding processed information.
Individual rights which are guaranteed by GDPR:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right related to automated decision-making including profiling
These rights are mostly connected with the data controller but also indirectly with the data processor, as well. The data processor is obliged to act in accordance with the rules and demands imposed by the data controller.
Data Controller vs. Data Processor
Understanding whether you are processing personal data is critical in order to understand whether GDPR applies to your activities.
Data controllers’ obligations are much wider than data processors' and that is the reason for such acting, as well as the fact that service providers cannot control and determine the way in which information will be used.
If you exercise overall control of the purpose and means of the processing of personal data – i.e. you decide what data to process and why – you are a controller. Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. Controllers make decisions about processing activities and are ultimately in charge of and responsible for the processing.
If you don’t have any purpose of your own for processing the data and you only act on the client’s instructions, you are likely to be a processor – even if you make some technical decisions about how you process the data.
A controller can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual (such as a sole trader, partner in an unincorporated partnership, or a self-employed professional, a lawyer, etc.)
Although the processor may make its own day-to-day operational decisions, GDPR says it should only process personal data in line with the controller’s instructions, unless it is required to do otherwise by law. In any case, the processor should implement appropriate technical and organizational measures to account for security risks and to assist the controller in responding to requests of individuals.
Processors must, in any case, keep personal data confidential and obligate their personnel to the same confidentiality obligations.
Processors should keep necessary records and make them available to controllers and regulators if needed. Processors should notify controllers of a data breach incident ASAP and provide support in those cases, and process personal data only to the extent authorized by the controller.
Processors should obtain controllers’ written permission before engaging subcontractors which act as s sub-processors. Entering into contracts with sub-processors should provide the same level of protection as the principal contract with controller. Also, processors must delete or return to the controller (at the controllers’ choice) all personal data when no longer providing services. In any case, processors should train employees on GDPR and create company policies in compliance with GDPR.
The data processor follows instructions from the data controller regarding the processing of personal data.
When IT companies provide services, they act as a data processor and they must comply with GDPR rules regarding processors. The main basis for the data processor is a contract signed with the data controller which determines all conditions of their cooperation regarding those data.
In any case, IT companies should update their company policies regularly and conduct periodical audits and permanent educations if they want to stay in line with the GDPR legislative and the best industrial practices.