Over the past two years of application of the RODO, entering into entrustment agreements for the processing of personal data has almost become an everyday occurrence. Accordingly, in early July 2021. The European Data Protection Board adopted guidelines on the concepts of controller and processor (available in English here).
Taking care of the lawfulness of personal data processing is one of the primary duties of a Controller. It is not uncommon to use another entity for processing. Then it is extremely important to identify the relationship between the Controller and the external entity, and in a situation where we find that it is necessary – to conclude a contract for entrustment of personal data processing. So how do we identify whether there is entrustment of personal data processing in a given relationship? To clarify this, let’s use the guidelines mentioned above: (i) the processor is external to the controller, (ii) the processor processes data on behalf of the controller, (iii) the purpose of processing is set by the controller, the processor fulfills the controller’s purpose, (iv) the processor therefore processes data in accordance with the controller’s instructions.
Examples from practice
When is there a situation of entrustment of data processing? The flagship example is the situation of entrusting the processing of employee data to an accounting service provider for the purpose of making settlements. In such a case, the accounting office fulfills the purpose of processing of the administrator which is the obligations under, for example, the Labor Code and tax law. In such a case, the accounting office does not have its own purpose of processing the data provided to it by an external entrepreneur, but only fulfills the contract linking it with this entity. The entrepreneur (who is also the employer) acts in such a relationship as the controller of his employees’ data, while the accounting firm acts as the processor, or processor.
But let’s move on to a slightly more complicated situation that we can observe in the relationship with benefit providers (sports cards, health care). In such situations, the employer enters into an agreement with the benefit provider. The employer’s goal is not to provide sports or health benefits to employees. The benefit provider has its own purpose of data processing which is to process data in connection with the provision of sports or health services. The employer has its own purposes arising from running the company and employing the employees. Thus, in such a situation we have two controllers of personal data: the entrepreneur – in relation to its employees; the benefit provider – in relation to its clients. In the market, however, we can rarely encounter the regulation of the relationship between entities on the basis of co-administration. In the situation described above, it is the benefit provider that contracts the entrepreneur to collect on its behalf the personal data of employees who express a desire to join the benefit program. The entrepreneur in such a situation acts as a processor, while the benefit provider assumes the role of data controller. Consequently, the processor fulfills the benefit provider’s goal of acquiring customers. This is not an intuitive solution, but there is no doubt that for the time being it is a common practice in the market.
Do we always need a data processing entrustment agreement?
If we use the services of external entities, almost at every step we can encounter the practice of entering into data processing entrustment agreements. They are hinted at as a standard, a safeguard to almost every contract, and are sometimes written into the body of regulations or general terms and conditions. However, it is not always necessary to conclude a processing entrustment agreement, and sometimes it can draw additional obligations on the entrepreneur. In particular, remember that there is no need to conclude an agreement in a situation where the other party provides us with the contact details of its employees or representative persons for the purpose of executing the main contract. In such a situation, there is no entrustment of personal data processing. Each party is a separate controller of personal data, and the transfer of personal data of contact persons is within the legitimate interest of each controller to be able to perform the contract – Article 6(1)(f) RODO ( in some cases, the basis may also be Article 6(1)(b) RODO). An agreement for entrustment of processing will also not be necessary in relations with couriers who deliver parcels on similar terms as the Polish Post Office.
Summary
It is worth remembering that identifying a party as a controller makes it responsible for data processing performed by the processor, while if we identify ourselves as a processor in advance – we give the controller the right to control our activities and conduct audits. Before concluding a contract for the entrustment of personal data processing, the entrepreneur should make a careful analysis of the relationship between the entities.
