Hidden problem: subcontractors

Dive into business data optimization and best practices.
Post Reply
ritu2000
Posts: 242
Joined: Sun Dec 22, 2024 5:05 am

Hidden problem: subcontractors

Post by ritu2000 »

Subcontractors pose another difficulty. Cloud services are often not provided by the provider alone, but by a large number of subcontractors. If these are based in the USA or the data is processed in the USA, the appropriate level of data protection must also be guaranteed there. Remember that your company, as the data controller (Art. 4 No. 7 GDPR), is also responsible for the data processing of the contract processors and subcontractors.

The catch: The standard contractual clauses must be croatia number dataset concluded directly between your company as the controller and each individual subcontractor (“controller to processor”). There are simply no standard contractual clauses for the processor to subcontractor constellation (“processor to processor”). This means that the cloud service cannot conclude standard contractual clauses with its subcontractors. The EU Commission is currently working on new standard contractual clauses that will hopefully solve this problem, but that does not help here and now.

As a workaround, we consider it reasonable to authorize the processor to conclude the standard contractual clauses with its subcontractors on behalf of your company. However, the risks outlined above that are now inherent in the standard contractual clauses for US data transfers remain.

legal consequences and risks
Compliance with the GDPR is monitored by the data protection supervisory authorities in the individual federal states. According to Art. 58 GDPR, the authorities can take action against unauthorized data transfers to third countries, for example by prohibiting the use of services or service providers . Fines of up to EUR 20,000,000 or 4% of annual turnover (whichever is higher) are also possible. 1 Even if the Privacy Shield Agreement has become unusable with immediate effect from the EU’s point of view, the authorities will probably grant companies a grace period to adapt their processes and renegotiate contracts with US service providers. That is at least what we experienced in 2015, when the ECJ declared the Safe Harbor Agreement invalid (that was the predecessor agreement to the Privacy Shield). But: In its new decision, the ECJ expressly emphasized that the supervisory authorities must prohibit unauthorized data transfers . The authorities cannot therefore remain inactive for too long.
Customers, users, employees and other persons affected by unlawful data processing can issue a warning to your company and demand compensation for damages . Both have only happened rarely so far, but the first courts have awarded non-material damages for GDPR violations. 2 The costs of a warning can quickly reach four-digit figures. In addition, there are cease-and- desist declarations to which you are bound for years.
At least it is conceivable that consumer protection associations and competitors will issue warnings with cease-and-desist declarations . However, the legal situation is unclear and has recently been referred to the European Court of Justice for clarification. Up to now, the risk of such warnings has been rather low.
1 An overview of fines already imposed can be found at https://www.datenschutzkanzlei.de/datenschutz-radar/
2 e.g. EUR 2,000 for unlawful video surveillance; EUR 5,000 for late and incomplete information
Post Reply