As it is very likely that an agency will process personal data on behalf of its clients, it is advisable to take certain precautions to limit, as much as possible, the onset of any disputes.
If the agency is the external data controller, it must:
- sign an ad hoc contract (called “Data processing agreement”, “Contract ex-art. 28 of Regulation 679/2016” or “Appointment of the person in charge”– here you’ll find more information and a template to download) with each data controller (i.e., the client); and
- act transparently and proactively in order to prove that you’ve have done everything correctly in case of audits.
What’s the difference between data controller and data processor?
The term “data controller” means any natural or legal person determining the purposes and means of the processing of personal data of its users. It’s the one who determines “why” and “how” the personal data collected should be processed, usually the owner of the site/app (in this case, the client).
The term “data processor” means any natural or legal person who processes personal data on behalf of the data controller. This is the case, for example, of an agency that runs newsletters or marketing campaigns for its clients.
According to the GDPR, these are the obligations of the data processor (agency) towards the data controller (client):
- The agency is only obliged to process personal data on the client’s documented instructions. This means that the agency must strictly adhere to the client’s processing instructions, which are generally defined for the most part in the data processing agreement mentioned above. The client’s instructions will cover the entire data processing cycle, i.e., from collection to termination of processing. It follows that, once the processing services have been completed, the agency will have to cancel or return the personal data to the client, depending on the instructions given by the client (i.e the data controller).
- Personal data must be treated with the utmost confidentiality: to ensure this, the agency must ensure that the processing is carried out only by authorized personnel who are bound (or legally bound by) an obligation of confidentiality. Written processing instructions usually fulfill this obligation to employees. These instructions contain clauses on how to process the data and rules on privacy in the course of processing operations.
- The agency must then ensure that all required security measures are taken and may not resort to using an outside party’s services (e.g. as a sub-processor) without the client’s prior written authorization.
- The agency’s obligations of assistance and cooperation are fundamental. Through the adoption of appropriate technical and organizational measures, the agency must help the client respond to users’ requests to exercise their rights. Let us suppose, for example, that a user requests the rectification of his email address in a database used to send Direct Email Marketing (DEM). If the agency in charge of the maintenance of the related database and the sending of such emails receives the request of the person concerned, it must immediately inform the client (i.e the data controller) and proceed according to the instructions provided.
- The agency must assist the client in fulfilling any obligations arising from situations like a data breach, during any prior consultation with the supervisory authority or should a Data Protection Impact Assessment become necessary.
- The agency must make available to the client all the information in its possession that is necessary to demonstrate the client’s compliance with legal obligations. In doing so, it may not hinder any review activities (including inspections) carried out directly by the client or by any other person commissioned by the client.
Indemnity and iubenda software
It should be stressed that an indemnity exonerates the agency from the responsibilities inherent in the “goodness” of iubenda’s products, not from all liability.
Client and agency duties in case of damages to users
Article 82 of the GDPR is the key rule on civil liability in the processing of personal data and the consequent right to compensation, and specifies that:
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
While the data controller (client) is liable for the damage caused by the processing that violates the GDPR, the data processor (agency) is only responsible for the damage caused by the processing if:
- it has not fulfilled its obligations under the GDPR, or
- acted inconsistently or contrary to the client’s (legitimate) instructions.
The agency might respond in cases where:
- it transgresses the client’s instructions (even if it exceeds the limits of its competence, in which case the GDPR provides for it to assume responsibility as an independent owner);
- it does not assist the client (e.g., for data breaches or impact assessment);
- does not make the necessary information in its possession available to the client;
- does not inform the customer that an instruction from the customer violates the law;
- while being obliged to do so, does not appoint a DPO (Data Protection Officer);
- appoints a sub-processor not previously authorized;
- appoints a sub-processor who does not offer sufficient guarantees;
- does not keep a register of processing operations.
The conditions of exemption from liability
The customer or the agency can only be exempted from liability if they can prove that the damage is in no way attributable to them (e.g., if it results from a data processing that is not done by them).
Joint and several liability
If the damage is attributable to more data controllers or data processors (or both), each of them is jointly and severally liable for the full amount of the accident.
In this case, the person who has compensated for the damage in full can claim compensation corresponding to their share of liability from the other owners or liable parties involved.