The CNIL Issues New Guidance For Processors

In a significant change from the Directive, the GDPR imposes direct legal obligations not only to controllers, but also to processors. The CNIL recently published a guide designed to help processors identify their new obligations and help them prepare for 25 May 2018 when the obligations will come into effect.

Processor Obligations
The main processor obligations highlighted in the guide include:

  • Transparency and Accountability –– The CNIL notably insists on the need for processors to document in writing all instructions received from their controllers to be able to demonstrate their status as processors. Processors must also make available all information necessary to help controllers evaluate processor’s compliance with the GDPR.
  • Privacy by Design and by Default –– Processors must ensure that their tools, products, and services incorporate the principles of Privacy by Design and by Default.
  • Security –– In addition to the obligation to implement adequate security measures, processors must also assist controllers when a data breach occurs, in particular with respect to the controller’s notification obligation. If they have the controller’s approval, processors may even notify the breach to the supervisory authority themselves, on the controller’s behalf.
  • Assistance, Information, and Counsel –– Processors also have a general duty to assist, inform, and counsel controllers to help them comply with some of their obligations, including, responding to data subject requests, conducting DPIA, etc.

Where to Start?
To help processors prepare for the GDPR, the CNIL recommends to:

  • First: Assess whether they need to appoint a DPO, and if so, appoint one
  • Second: Review their existing contracts to align them to the GDPR contract requirements, and
  • Third: Establish records of their processing activities (the CNIL warns that processors will most of the time have to maintain two separate records: a processor record detailing the processing activities carried out on behalf of their clients, and a controller record for the processor’s own processing activities, e.g., of their employees.)

Review of Existing Contracts & Model Clauses
The GDPR strictly dictates the content of a data processing agreement (see Article 28.) The CNIL warns that all existing contracts will have to be compliant with these new rules as of 25 May 2018. The CNIL therefore recommends processors to start, today, reviewing and updating their existing contracts. The CNIL also suggests implementing these changes by way of separate amendments expressly stating that they will only become effective on 25 May 2018.

Under Article 28.8 of the GDPR, supervisory authorities can establish standard contractual clauses for processor agreements that controllers and processors will be able to use. The CNIL has not yet created them, but already provides in its guidance a list of model clauses that processors and controllers can use while waiting for the adoption of these standard contractual clauses. The CNIL insists that these model clauses do not constitute a contract by themselves and will need to be integrated into a broader agreement.

The guidance is available here (in French only.)

How OneTrust Helps
OneTrust offers a large range of tools and modules that help organisations manage their privacy programmes. For organisations acting as processors, the OneTrust Data Mapping module can help them maintain separate records for both their own processing activities and those carried out on behalf of their clients. Our other tools and questionnaires can also help processors make sure they adequately implement Privacy by Design and by Default principles into their products and services and adopt adequate security measures. In addition, OneTrust’s Vendor Risk Management and Incident & Breach Management tools facilitate communication between controllers and processors like never before, and help them share information in a clear, easy, and effective manner.