No GDPR mandatory controller-to-processor provisions in a vendor contract can lead to a €75,000 fine (even if the contract was signed before May 2018)

Background

Since 1999, the Lazio Region had entrusted the regional call centre service (ReCUP) to a supplier ( “Company A”), without designating Company A as data processor even before the GDPR came into force.

Between 2003 and 2005, Lazio Region entrusted a different company (“Company B”) with the development, organization, and management of the regional information system, including the call centre service.

Between 2005 and 2006, Lazio Region transferred the contract entered into with Company A to Company B and appointed Company B as data processor. From a legal standpoint, Company A would therefore have been a sub-processor, though none of the agreements between the parties reflected this.

In 2018, Company B designated the call centre operators (i.e., Company A employees) as authorized persons, under Article 30 of the Italian Data Protection Code in force at the time being, but without entering into a data processing agreement with Company A.

The Italian DPA’s assessment

Below are the main points noted by the Garante:

• Company A carried out processing of personal data in the context of the provision of the call centre service without being designated as data processor;
  
  
• In 2008 Company B appointed Company A as data processor for the processing of personal data carried out for the call centre service. The Garante considered such appointment ineffective, since the data processing agreement identified Company B as data controller, although the controllership of such processing was attributable exclusively to the Lazio Region (indeed, Company B had already been designated by Lazio Region as data processor);
  
  
• The designation of Company A employees as authorized persons must be considered ineffective, since Company B is not the employer and, as a result, it cannot exercise the same “direct authority” that only the data controller or the data processor can exercise over their own employees.

The application of the administrative fine

The Garante decided to set the fine at € 75,000 for the violation of the accountability principle (Article 5, Paragraph 2, Letter a of the GDPR) and for failure to designate Company A as data processor under Article 28 GDPR.

This administrative sanction has been imposed in light of the elements provided for in Article 85, paragraph 2, of the GDPR, in relation to which the Garante noted in particular that:

• Lazio Region did not designate Company A as data processor, and it did not give proper instructions such as details on the subject matter, duration, nature and purpose of the processing, the type of personal data and the categories of data subjects, as well as the obligations and rights of the data controller and the adequate security measures to be adopted;
  
  
• The unlawful processing of personal data has had a particularly long-time duration, since the Lazio Region has allowed Company A to carry out processing operations from 1999 to January 2019, without a proper legal basis.