Processing Details: Subject Matter, Nature and Purpose of Processing

Prior to 25th of May 2018, companies have been largely engaging in “re-papering” of their existing contracts to include the DPA content requirements. While their efforts were based on the interpretation of the Article 28 (3) of the GDPR, the term “subject-matter” has been received by many as to reflect the purpose of the processing. And whereas the purpose of processing may reflect the subject-matter of the processing, author finds these two concepts to have a different purpose.

Both Microsoft105 and Amazon106 define “subject-matter” as processing of customer related personal data within the scope of the GDPR. By doing so, parties are agreeing that the object which undergo processing is personal data. While author agrees with the approach taken by Microsoft and Amazon, author believes that “subject-matter” of processing should include the general objective or task, performance of which requires processing of personal data.

103 _{Information Commissioner’s Office GDPR guidance: Contracts and liabilities between controllers and processors,}

available on: https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-contracts-guidance-v1-for- consultation-september-2017.pdf. Accessed May 19, 2019. P. 13.

104 _{Article 5 of the GDPR.}

105 _{Microsoft Online Terms, available on:}

http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31 p.8. Accessed May 19, 2019.

106_{Amazon Data Processing Addendum, available on: https://d1.awsstatic.com/legal/aws-}

Subsequently, a DPA would clarify what processing operations constitute the nature of processing and assigns purpose to one or all of the named processing operations. The author believes that not only the purpose of processing, but subject matter as well should justify engaging in processing. Subject matter should demonstrate the link between the processing and the main transaction (e.g. provision of software) between controller and processor.

Nature of processing can be construed as one or many processing operations performed with respect to personal data (e.g. storage, erasure, use, etc.). DPA itself is an initial set of instructions for processor, containing the authorization for the use of processing operations carried out with respect to the defined personal data. Identifying the nature of processing is paramount in performing a privacy risk assessment to identify and manage privacy risks.107

Purpose of processing describes why parties engage in processing of personal data. It is important to link the nature of processing with the specific purpose parties pursue. For the convenience, some companies are providing the general link to the main agreement, stating that the purpose of processing is “fulfilment of contractual obligations with customer”. The author believes that this vagueness does not meet the GDPR requirements. The purpose of processing needs be essentially consistent with the scope of legal basis relied by controller. For example, controller is using a SaaS ERP for accounting purposes. Let us assume that controller is acting within its employment contract with a data subject and has informed the data subject of its intention to use a third-party processor. Whereas, employment agreement is a valid legal basis under the Article 6 of the GDPR, it is confined to the set of specific functions required for controller to fulfil its obligations as employer. Therefore, employer is entitled to use SaaS ERP product to calculate payroll and manage resources. These functions, that are in line with the legal basis, must be reflected in a DPA and match the actual processing operations performed by processor. If, for example the scope of processing operations contains operations that exceed, the named purposes e.g. behavioural analytics, the controller must verify if it possesses the appropriate legal basis.

It is true that some SaaS providers are employing the same processing operations among all of their products and therefore, the indication of particular purpose is not principal. However, parties must acknowledge that failure to recognize the concrete purpose of processing would mean inability to verify whether the processing operations are required at all. If processing operations cannot be justified, such processing would be contrary to the purpose limitation principle108. That is why, when defining the purpose of processing, parties should indicate the precisely what products and services require processing operations included in the “nature of

processing” and “types of personal data” and “categories of data subjects” included further in a

DPA.

Clarity of these processing details is essential in ensuring timely response to data subject’s access request according to the Article 15 of the GDPR without resorting to the controller’s rights described in the Article 28 (3) (e) of the GDPR.

107

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 p.6.

Depending on the complexity, it is suggested that functionality the microservices used in the processing is used as purpose of processing. As a result, purpose of processing will not state a general purpose that is often copying the subject-matter of the main contract, but explicitly state what purposes are served by the processing.

To avoid any interpretation, purpose of processing can be linked with other processing details. For example, when indicating the purpose of processing, such purpose can be liked with specific type of personal data and processing means. For example, controller and processor agree that one of the purposes of processing is support ticket registration. That information can be supplemented by indicating the processing operations, (e.g. “storage”, “registration”, “disclosure”), as well as types of personal data, (e.g. first name, last name, company, title) and data subject’s categories (e.g. controller’s employees). Other services provided under the same agreement can be represented in the same manner. The benefit of that model is to assist controller in ensuring the transparency of processing, and data minimization principle as both parties would consider whether the processing details tied to a specific purpose are adequate and entail additional risk to the data subjects.