The General Data Protection Regulation (GDPR) has been in place in the European Union (EU) since 2016, established with the aim of creating guidelines for how EU citizens’ personal information should be collected and processed.
One of the key elements of compliance is for organisations and enterprises to have in place a GDPR Data Processing Agreement (DPA).
A DPA should detail how an individual’s data is processed for business purposes, and is essentially a contract between a business, defined under GDPR as a data controller, and a service provider (known as a data processor).
Just about every organisation or business in the EU that collects personal data in any form will use a third-party service to process that data. Having a DPA in place is deemed necessary as a way of data controllers ensuring that users’, employees’ and clients’ data that is stored by a data processor is being properly protected.
It should also be noted that even if a company does not have a legal entity in the EU, but nevertheless collects data from EU citizens, there is a requirement for a DPA to be put in place.
What is required to be compliant with GDPR regulations regarding a DPA?
The form that a DPA takes is not stipulated by the GDPR in terms of whether it is a discrete document or incorporated into the contract between the data controller and processor.
Likewise, there is no set template that a DPA should follow; however, there are clear guidelines as to what must feature in a DPA in order to ensure compliance. This includes the distinct and specific responsibilities of the data controller and the data processor.
For the former, these include establishing the rights of the data subjects, collecting their consent, and providing instructions to the processor as to how their data can be used.
The data processor’s responsibilities include maintaining the security of data, facilitating audits, and reporting data breaches, when necessary.
A DPA should also explicitly detail the technical and organisational measures that have been put in place to protect data (e.g., cybersecurity systems, etc.), as well as being able to demonstrate compliance in terms of audits and reviews, for instance.
In the case of a data breach, there is a requirement that it is reported by the data controller to the relevant Data Protection Authority within 72 hours (in the UK, the Information Commissioner’s Office), as well as to any individuals whose data has been compromised (unless there are specific technical and organisational measures in place that make this unnecessary).
In the case of the data processor identifying a breach first, they must notify both the data controller and the appropriate Data Protection Authority.
What are the penalties for noncompliance with GDPR?
The penalty that is applied in a case of GDPR non compliance will depend on the nature and severity of any data breach that results.
These penalties can include a formal reprimand, or a ban on data processing (either temporary or permanent).
In more egregious cases, fines will be imposed. Lower level violations can attract fines of up to €10 million, or 2% of the company’s total global turnover of the preceding fiscal year (whichever is higher).
In what are deemed severe GDPR violations, the fines can be as much as €20 million, or 4% of the company’s total global turnover of the preceding fiscal year (whichever is higher).
Is biometric data covered by GDPR?
Biometric data is defined under the terms of GDPR as, “personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data.”
EU citizens are specifically protected from having this sort of data shared with third parties — including service providers — without their explicit consent.
Therefore, the regulations pertaining to biometric data are no different to other sorts of personal data, and breaches are treated accordingly.
The case of Carrefour : a cautionary tale
One of the most important examples that demonstrates what can happen to companies that do not fully comply with GDPR regulations, in particular as they pertain to biometric data, is the case of Carrefour.
In June 2021, the international French supermarket chain was deemed to have violated GDPR regulations with regard to employee privacy.
Carrefour had implemented a biometric system so that it could monitor its employees’ attendance; however, it did so without obtaining the explicit consent of employees to do so.
In addition, it was determined that insufficient information was provided to individuals in the workforce as to how their biometric data would be utilised, nor had the provisions that had been put in place to protect it been fully explained.
It was also determined that Carrefour did not undertake a data protection impact assessment, as required by GDPR.
The consequences for Carrefour of its data breach was significant — it was fined €3 million by the regulator, the French Data Protection Authority (CNIL).
This case, affecting one of the world’s biggest retailers, demonstrates that no organisation should consider itself as being beyond the requirements of GDPR, and that when it comes to all forms of personal information — including biometric data — there are serious consequences to violating the privacy rights of employees, as well as clients and users.