This blog post is written for informational purposes only. It does not constitute legal advice, and should not be used as such.
In our previous blog posts on GDPR and expert calls, we have looked at the roles and responsibilities of the expert networks and clients when processing expert personal data. To recap, we landed in that when processing expert personal data in relation to expert calls, the expert is a data subject, and the expert network and the client act as separate and independent data controllers.
But the supply chain is rarely this clean. What happens if one or several of the parties engage with a data processor? Which responsibilities do data processors have, and to which extent is the controller responsible for the processing performed by its processors?
Most expert networks use some sort of Recruitment Management System in which they handle expert profiles. Email is used as the primary tool for communication between the expert network and the expert, as well as between the expert network and the client. The client team often compiles expert profiles in an excel sheet to distribute to colleagues in the internal team. All of these services ‘process personal data on behalf of the controller’ and hence act as data processors.
Inex One replaces the need of using an email program to communicate with expert networks, and the need of using MS Excel or other softwares to compile and administer expert profiles. We act as a data processor in relation to both the expert network and the client, just as an email program or a Recruitment Management System.
A data processor has several responsibilities to the data controller that it’s acting on behalf of.
Amongst other things, it should:
– only act on behalf of, and as instructed by, the data controller.
– implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
– not engage another processor (sub-processor) without prior authorisation of the controller.
The processing performed by a data processor shall be governed by a contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. Such a contract is referred to as a Data Processing Agreement (DPA). The DPA is part of Inex One’s legal documentation for clients and partners.
How can Inex One support clients in their GDPR Compliance efforts?
As a data controller, the client has several responsibilities towards the data subject whose personal data it’s processing. One of them is to follow the principle about storage limitation. A data controller should not store personal data “longer than is necessary for the purposes for which the personal data are processed”. In practice this means that when a project has ended and the expert data is not needed anymore, it should be deleted or anonymised. And this is not only true for directly identifiable personal data like name and phone number, but also indirectly identifiable data like career history.
Most clients today find it hard to live up to this requirement. The way that the sourcing of experts is handled, personal data quickly spreads from email servers to excel sheets, and then on to notepads, word documents and other systems. Even if there are internal processes in place around how to handle personal data, they are not always followed by individual employees whose focus is on the project.
Inex One was built according to the principles of privacy by design, and has a built-in functionality for storage limitation. We automatically anonymise any personal data related to experts 12 months after a project has ended, or at the client’s request. When using Inex One, there is no need to compile and distribute information about experts in excel sheets to colleagues, or to use email to communicate, instead all data is processed within the closed ecosystem of the platform.
The GDPR has given individuals certain rights to empower them to take control of how their personal data is being processed. It provides individuals with eight different rights, out of which the “right to erasure” or “right to be forgotten” is probably the most well known. Individuals have the right to have their personal data erased if it’s no longer necessary for the purpose it was originally collected or processed for (e.g. when a project has finished), if the original consent is withdrawn, or if you as the data controller are relying on legitimate interest as your basis for processing and the individual objects to the processing.
If a request for erasure is made by an expert to a client that has processed that expert’s personal data, the client has one month to respond and act upon the request. This means that within one month, the client must identify and delete all personal data related to that individual expert in email systems, on hard drives, on local servers, cloud services etc. These kind of requests can easily become an administrative nightmare, as many companies still don’t have appropriate processes and methods in place to identify and delete personal data related to expert calls. With Inex One, this will no longer be a problem. Our strict data retention schedule ensures that you do not hold expert personal data longer than necessary, and if you would receive a request for erasure for data that has not already been anonymised, we have robust processes in place to have it deleted for you.