Contracts entrusting the processing of personal data. Is each subcontractor a subject processing personal data?
When concluding contracts for the provision of services, many contractors are demanding the conclusion of an additional contract for entrusting the processing of personal data (DPA). Whether, for the performance of the main contract, the processing of personal data will be entrusted or not, depends on the role of the parties in the processing of data. Not every transfer of personal data to the contractor will involve entrusting them for processing. Before signing a contract for entrusting personal data for processing, it is worth checking whether it is really needed.
First of all, it should be determined whether the performance of the contract for the provision of services requires the transfer of any personal data to the contractor at all. For example, an order for production of workwear for employees can be made without providing their names and surnames, only the size of the clothing. The entrustment contracts do not include the office cleaning company, as no personal data are required for its execution. However, it is important to remember to keep appropriate security rules when admitting third parties to the area of personal data processing and to regulate these matters in the contract.
Role in the processing
Next, it should be determined which role (administrator or processor) is performed by the party to this certain contract. An effective test of role verification in the processing is to imagine that after the end of the contract, the provider of personal data requests their return or removal. If such an obligation would not be possible due to the own obligations or interests of the contractor, no processing of personal data is entrusted.
In some cases, setting roles for the parties to the contract will not raise doubts, for example when commissioning mandatory periodic tests of employees, both the employer and the entity performing those tests will be separate administrators of personal data. As a rule, the contract for entrusting the processing of personal data does not have to be concluded with a law firm, which for example is ordered to conduct a case for payment against a contractor or with a public operator providing courier services. These entities process personal data for their own purpose and not on behalf of and under the supervision of the administrator.
Sometimes determining the role in the processing of personal data will require an analysis of the additional circumstances of the case. For example, conducting a health and safety training of employees before an external entity will, as a rule, require entrusting the processing of personal data by an employer. However, if the training is conducted by a single entrepreneur who will use the employer’s IT systems for the purpose of conducting the training (e.g. for human resources), it may be enough to authorize him to process personal data just like an ordinary employee. A similar situation will take place in the case of employees employed under B2B contracts. If they perform activities within the infrastructure of the client, depending on the specific situation, it is possible to resign from the contract to entrust the processing of personal data, granting regular power of attorney instead.
It should not be forgotten that on the basis of the RODO it is also possible to co-administer personal data, and thus to jointly set the purpose and method of data processing. Typical examples of shared data are employee recruitment conducted jointly by companies belonging to the same capital group and co-organizing a competition for clients with a business partner. In this case, instead of the contract for entrusting data processing, the administrators conclude co-administration agreements in order to regulate the manner of implementing the rights and obligations related to the processing of personal data.
In case of doubts whether during the conclusion and performance of the main contract, it is necessary to additionally regulate the issues related to the processing of personal data, it is worth consulting this matter with a lawyer.