When are processing agreements really required?
The willingness of organisations to comply with the GDPR, and the complexity of applying the “controller” and “processor” roles, has resulted in a default position where all third parties tend to be viewed as “processors”. In practice it will not always be obvious whether a third party should be considered to be a controller or a processor. Where a third party is correctly categorised as a processor, Article 28 of the GDPR requires (enhanced) data processing provisions to be in place. If the third party is a controller, however, the requirements are less clear cut and, except in the case of “joint controllers”, the GDPR does not specify any particular matters that must be covered in processing agreements.
In situations where there is a question over the role of your third party, it may be attractive to seek to treat them as a processor as part of a “belt and braces” approach to compliance. This can lead to unnecessary work; another disadvantage is that practically, many of the clauses that Article 28 require a controller to impose on a processor will not be commercially workable if the third party is also acting as a controller in providing the services.
How can we avoid losing our marketing list?
Electronic marketing is primarily regulated by the ePrivacy Directive, not the GDPR. This multi-layering of regulation consistently causes confusion for businesses.
Many companies will have reviewed their marketing lists and practices during the course of their GDPR preparation. This is likely to be as a result of changes to the definition of “consent”, which is harder to obtain under the new legislation, and must be capable of being demonstrated. Before taking significant decisions regarding marketing lists, it is worth bearing in mind that the Article 29 Working Party (“A29WP”) and the Information Commissioner’s Office (“ICO”) continue to release guidance that is relevant to this area. In particular, the A29WP’s guidelines on consent were finalised earlier this month, and the ICO is in the process of finalising its own guidance on the topic. Without considering fully what these documents say, there is a risk of making decisions about existing marketing databases that cannot be undone. “Re-consenting” is often referred to, but is not necessarily the most attractive option for companies, either legally or commercially.
To further complicate matters, the ePrivacy Directive will soon be replaced by an ePrivacy Regulation, which has not yet been finalised. Drafts of the Regulation have been published; however, companies may need to review their marketing practices again once the legislation is published in its final form.