Danish Privacy Regulator: Data Processor Violated GDPR by Using Unapproved Sub-Processor

Danish Data Protection Agency faulted a data processor for using an unapproved sub-processor in violation of the GDPR and national data processing regulations.

In this case, several Danish municipalities (data controllers), retained company EG A/C (data processor) to develop, operate, and maintain a financial management system for the municipalities.  EG, in turn, retained a supplier ServiceNow to manage its Service Desk.  EG is based in Netherlands, but has affiliated companies in the United States, India, and Australia.  In addition to processing ongoing support requests through the Service Desk System, ServiceNow was also responsible for implementing system updates, security updates, and security patches.

Article 28(2) of the GDPR provides that “[t]he processor shall not engage another processor without prior specific or general written authorization of the controller.”  ServiceNow, however, was not listed as an approved sub-processor in the agreement between the municipalities and EG.  The Danish Data Protection Agency found that EG violated the GDPR and national data processing regulations by engaging an unauthorized sub-processor.

Lacking the authority to transfer personal data to ServiceNow, EG also lacked the authority under the GDPR to transfer data to third countries.  Furthermore, ServiceNow could not guarantee that personal data would not be processed outside of the European Union, or processed in the third countries based on the mechanisms prescribed by the Regulation.   The GDPR provides that personal data may be transferred outside of the European Union only if the transferee country ensures an adequate level of protection of the data.  In the absence of the adequacy decision by the European Commission, data can only be transferred on the basis of one of several prescribed mechanisms, such as Standard Contractual Clauses.  See GDPR Art. 44.  Thus, the Data Protection Agency criticized EG for violating general principles of data transfer to third countries under the GDPR.

Approval of sub-processors is an important element of vendor risk management for data controllers but currently is not a statutory requirement in the United States.  However, a recently proposed Washington Data Privacy Act will, similarly to the GDPR, require processors to engage subcontractors only after providing a controller with an opportunity to object and pursuant to a written agreement which would require subcontractors to meet obligations imposed on processors with respect to personal data.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653