In the last month, both the European Data Protection Board ("EDPB") and the Court of Justice of the European Union ("CJEU") provided their interpretation of key data protection concepts that are crucial for ensuring compliance with Regulation (EU) 2016/679 ("GDPR").
In Opinion 22/2024, the EDPB provided guidance to data controllers on how to effectively oversee the activities of their (sub-)processors in a GDPR-compliant manner. The opinion was requested by the Danish data protection authority and likely related to the enforcement actions against Danish hospitals which allegedly failed to oversee processors (see our blog – https://www.biosliceblog.com/2024/02/proposed-fine-against-danish-hospital-for-failure-to-supervise-data-processors/).
In early October, the CJEU provided an answer to a key question raised by the courts in the Netherlands – can the legitimate interests legal basis be used for processing of personal data for commercial purposes (e.g., sharing with third parties for advertising and promotion) (Case C‑621/22).
Why should Life Sciences companies care?
Life Sciences companies should consider this Opinion (detailed discussion below) and assess whether the activities of their (sub-)processors are effectively supervised in line with the expectations of the EDPB and the data protection authorities. Failure to do so may lead to enforcement and penalties, especially in relation to the processing of special categories of personal data.
The CJEU ruling provides some level of comfort for companies, including in the Life Sciences sector, when using the legitimate interests legal basis in the context of commercial and promotional activities. The ruling also re-emphasises, however, the strict limits and boundaries imposed by the GDPR.
The EDPB Opinion
In summary, the EDPB takes the position that:
1. In order to ensure compliance with the GDPR, controllers must have the information on the identity (i.e. name, address, contact person) of all processors and sub-processors readily available at all times:
- this is required regardless of the level of risk associated with the processing activity
- the processor should proactively the controller with all this information and should keep it up to date at all times
2. Controller must verify whether the (sub-)processors provide sufficient guarantees to implement the appropriate technical and organisational measures determined by the controller:
- this applies regardless of the level of the risk to the rights and freedoms of data subjects
- the extent of such verification by the controller will in practice vary depending on the nature of these technical and organisational measures – i.e., stricter and more extensive when risk levels are higher
3. While the initial processor should ensure that sub-processors provide sufficient guarantees, the ultimate decision on whether to engage a specific sub-processor and related responsibility, including verifying the sufficient guarantees provided by the sub-processor, remain with the controller (and not the processor)
4. The controller must able to demonstrate that the controller effectively verified the sufficiency of the guarantees provided by the (sub-)processors:
- the controller may choose to rely on the information received from its processor and build on it if deemed necessary
- the depth of verification and checking the information provided by the (sub-) processors must be proportionate to the level of risk for the data subjects (i.e., higher risks require more in-depth verification)
- the controller does not have a duty to systematically ask for the sub-processing contracts to verify the data protection obligations imposed on the initial processor are included in the agreements with the sub-processors:
Instead, the controller should assess, on a case-by-case basis, whether reviewing such contracts is necessary to demonstrate compliance in line with the GDPR principle of accountability
The Opinion also highlights that the above applies fully to data controllers when ensuring GDPR compliance of both initial and onwards cross-border transfers of personal data occurring between the (sub-)processors.
In terms of contractual provisions, while (sub-)processors are permitted to process personal data not in line with the data controller's instructions where this is required by EU or EU Member State law, the EDPB stresses that his does not apply to legal requirements imposed by ex-EU laws – i.e., the (sub-)processor is not permitted to process personal data as required by US law unless instructed to do so by the controller.
The CJEU ruling
According to the CJEU:
1. Wide range of lawful interests (i.e., not contrary to the law) could be considered "legitimate":
- this includes commercial interests, such as direct marketing or sharing of personal data with partners for advertising or marketing purposes
2. This legal basis can be used only if the legitimate interest in question is not overridden by the interests and fundamental rights of the data subject – i.e., the controller must perform a balancing exercise to determine this, taking into account, among other things:
- whether the data subjects reasonably expect such processing
- the scale of the processing at issue
- its impact on the data subjects
3. The data subject must be informed of the specific and precise legitimate interest pursued by the controller
4. The data minimisation principle always applies – i.e.:
- no personal data should be processed if the legitimate purpose can be achieved without such processing
- if the processing of personal data is actually needed, the personal data processed must be adequate, relevant and limited to what is strictly necessary
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.