GDPR: When It Comes To Data Security, Processors Are No Longer Safe

• Published date: 30 March 2021
• Subject Matter: Privacy, Technology, Data Protection, Security
• Law Firm: Haas Avocats
• Author: Ms Marie Torelli and Stéphane Astier

For the first time since its creation in 1978, the French Data Protection Authority (the "CNIL") fined not only a data controller, but also its data processor.

On January 27, 2021, the CNIL imposed a 75 000 euros penalty on a processor due to insufficient security measures.

Although unpublished, this decision is unprecedented both in its reasoning and its consequences.

This new approach completely shifts the contractual balance between processors and controllers.

Where processors used to rely on their status under the GDPR to exclude or limit their liability, they are now required to provide data controllers with the most appropriate security measures.

As for controllers, this decision incidentally confirms a forthcoming wave of audits to be operated in order to make sure that all the security standards imposed on their processors are actually met.

How can liability be shared in such a way as to ensure the legal security of the relationship between controllers and processors while taking into account the CNIL's new doctrine?

1. What the French Data Protection Authority decision changes

In order to fully understand what this decision actually entails, one should take note of the CNIL's doctrine prior to this decision.

1.1 The CNIL's doctrine prior to January 27, 2021

Until January 27, 2021, the Authority's doctrine was quite straightforward: even when the processor was at fault, it would only fine the controller.

The CNIL's reasoning was actually based on the five following principles:

• The data controller's liability cannot be transferred to the processor. In other words, resorting to a processor or a sub-processor does not exonerate the controller from ensuring data security;

• Controllers must impose, by contract, appropriate and relevant security measures on their processors. Accordingly, where the contract does not provide for such measures the controller will be fined;

• Controllers must not only impose security measures, but must also monitor their application by its processors, which entails conducting security audits or general monitoring of the processors' actions.

• This reasoning does not violate the constitutional principle of personal liability. Under this principle vicarious liability should be excluded when awarding penalties Accordingly, if the processor is solely responsible for the breach it should be the only one being fined. However, according to the French Conseil d'Etat (the Council of State, or supreme court for administrative...