Denmark: Datatilsynet's guide on data processor audits
On 29 October 2021, the Danish data protection authority ('Datatilsynet') published a guide on how to approach data processor audits. In the guide, the Datatilsynet sets out six supervisory concepts based on a risk assessment of the processing activities in question. The risk assessment uses a points scale, where the total score gives the data controller a sense of the risk associated with the processing, and which supervisory concept to choose when auditing the data processor. Camilla Sand Fink, Senior Associate and Head of the Data Privacy Team at CLEMENS Law Firm, reviews the Datatilsynet's guide and the central issues around auditing data processors.
Data controllers and data processors
When collecting and processing personal data, the data controller, who is responsible for the processing of the personal data (e.g. private enterprises, authorities, or institutions) will in practice always entrust personal data to data processors. A data processor processes personal data on behalf of and subject to instructions from one or several data controllers or other data processors (e.g. cloud service or software providers). When entrusting personal data to a data processor, the data controller is responsible for ensuring that the personal data is processed in a proper manner and in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This includes both the data controller's own processing and the data processor's processing of the personal data.
To ensure such compliance with the GDPR, the parties must enter into a data processing agreement in accordance with Article 28 of the GDPR. Even though it is not explicitly stated in the GDPR, the data controller must ensure an adequate level of security when entrusting personal data to a data processor. The Datatilsynet considers this a prerequisite for the data controller's ability to comply with the basic principles of accountability in Article 5(1) of the GDPR and the GDPR in general. Consequently, the data controller must on a regular basis carry out appropriate audits of its data processors to ensure that the processing activities are compliant with the GDPR.
Due to the previous absence of practical guidelines on how to approach data processor audits, many data controllers have struggled in their attempt to audit their data processors, as many basic questions remained unanswered, e.g. what an appropriate audit would look like, how often to carry out an audit, and whether the data controller is allowed to differentiate data processors and, if so, on which basis. To some extent, the Datatilsynet's guide on data processor audits answers these questions.
Data processor audits
Data processing agreements
The nature of an appropriate audit depends on the level of risk associated with the specific processing activity. The risk assessment must always be based on the risk of the data subject, and not on the risk of the data controller or other third parties.
When entrusting the processing of personal data to a data processor, the data controller must consider and assess how likely it is that the processing will compromise the data subject, and which consequences may be associated with the identified risks. The data controller must expect that the higher the risk, the more requirements to the effort and level of supervision.
In practice, the data controller and the data processor jointly determine which measures constitute an appropriate level of security based on the risk assessment when entering into a data processing agreement. The specific security measures should be agreed upon in the data processing agreement. The data processing agreement thus constitutes the framework and basis for the supervision, and determines if the data processor complies with the agreed level of security and the obligations laid out in the agreement and Article 28 of the GDPR.
Consequently, the first step is to ensure that:
- the data controller has entered into the necessary and mandatory data processing agreement;
- the involved parties have performed a risk assessment; and
- based on this assessment, the involved parties have agreed on the security measures necessary to ensure an adequate level of protection.
In other words, the data processing agreement forms the basis of the data processor audit.
Introduction of a points scale for risk assessments
To help determine how to audit data processors, the Datatilsynet introduced a points scale, which includes four simple questions. Depending on the answer to these questions, the data controller gives the data processor a total score from zero to ten points. The total score helps the data controller determine the appropriate level of control.
The total score depends on the answers to the following four questions:
- How many data subjects does the data processor process personal data of?
- Does the data processor process special categories of personal data under Article 9 of the GDPR?
- Does the data processor process other personal data which must be protected (e.g. confidential personal data)?
- Does the processing include special processing activities, which may be intrusive to the data subject's private life?
In particular, the question of whether the data processor processes other personal data which must be protected may give rise to doubts, as this is not a specific category in the GDPR. The Datatilsynet defines confidential personal data as information that in the general opinion of society, may be required to be evaded from the public's knowledge. Examples of such information include information on examination grades, long-term unemployment, and disciplinary measures.
Choice of supervisory concepts
The Datatilsynet's guide introduces six supervisory concepts to choose from depending on the total score from the above risk assessment (e.g. if the total score is between three and four points, the data controller may choose between the supervisory concepts two to six).
The supervisory concepts include:
- Concept 1: The data controller audits the data processor only on suspicion that something regarding processing activities is wrong.
- Concept 2: The data processor confirms compliance with all obligations set out in the data processing agreement.
- Concept 3: The data processor conducts and documents an annual status on all processing activities related to the data processing agreement.
- Concept 4: The data processor adopts a relevant and updated certification or code of conduct.
- Concept 5: An independent third party audits activities relevant for the data processor's processing of personal data, for which the data controller is responsible.
- Concept 6: The data controller audits the data processor either solely or together with other data controllers.
Regardless of concept, the data controller must always ensure that:
- the audit includes the data processor's processing activities relevant to the data controller;
- the basis of the audit is the data processor's compliance with the data processor agreement;
- the audit includes any specifically agreed obligations set out in the data processing agreement; and
- the audit includes whether the data processor ensures sub-processor compliance.
Example of points scale and choice of supervisory concepts
If a data processor processes personal data regarding less than 1,000 data subjects (question one) and the processing activity does not include the processing of special categories of personal data or special processing activities (questions two and four), but the processing activity does include the processing of some other confidential personal data (question three), the total score in the above risk assessment will be of three points.
Based on a total score of three points, the Datatilsynet's guide concludes that the data controller may choose between supervisory concepts two to six.
Frequency of auditing
Unfortunately, the Datatilsynet's guide does not provide any specific assessment of the appropriate frequency of a data processor audit. The frequency of an audit depends on the risk assessments carried out by the data controller regarding the specific data processor. The higher the risk, the more frequently audits must be performed. In some cases, it may be necessary to audit data processors annually; in other cases, a lower frequency suffices.
The Datatilsynet's guide suggests that a higher frequency may be necessary if the data processor has had problems complying with agreements (not just the data processing agreement), e.g. where the data processor has experienced several serious security breaches, frequent sub-processor changes, changes of ownership, mergers, or radical changes in the data processing strategy, as such events may significantly change a company's strategy and priorities and thus affect processing security. In addition, the data controller must be aware of any elements speaking in favour of additional supervision, including a pandemic which changes the way employees work and approaches to personal data. On the other hand, long-term collaboration with a stable data processor, who has no or few non-serious security breaches speaks in favour of a lower frequency.
Finally, the Datatilsynet's guide addresses the issue of auditing sub-processors. If the data controller has approved the data processor's use of sub-processors, the data processor must ensure that the sub-processor is subject to the same data protection requirements as those set out in the data processing agreement between the data controller and the main data processor. The data processor must ensure that any sub-processor complies with its data protection obligations. Therefore, the data processor must audit the sub-processor. The data processor may use the Datatilsynet's guide to assess its approach to sub-processor audits.
Camilla Sand Fink Senior Associate and Head of Data Privacy Team
CLEMENS Law Firm, Aarhus