March 5, 2021

Volume XI, Number 64

Advertisement

March 04, 2021

Subscribe to Latest Legal News and Analysis

March 03, 2021

Subscribe to Latest Legal News and Analysis

March 02, 2021

Subscribe to Latest Legal News and Analysis

So Many Confusing Terms! Is a service provider (CCPA) really the same thing as a processor (GDPR)?

No.

The European GDPR does not use the term “service provider” and, instead, refers to “processors.” While processors within the GDPR are defined in a similar manner to service providers under the CCPA, the GDPR is far more proscriptive regarding the contractual terms that must be present in a processor agreement. Specifically, the GDPR requires that a controller and a processor clearly set forth the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data involved, the categories of data subjects involved, the obligations and the rights of the controller, and the following substantive provisions:

  1. Documented Instructions. The processor will only process personal data consistent with the controller’s documented instructions.[1]

  1. Confidentiality. The processor must ensure that persons authorized to process personal data have committed themselves to confidentiality.[2]

  1. Processor Security. The processor must implement appropriate technical and organizational measures to secure the personal data that it will be processing.[3]

  1. Subcontracting authorization. The processor must obtain written authorization before subcontracting, and must inform its client before making any change to its subcontractors.[4]

  1. Subcontracting flow down obligations. The processor must flow down its contractual obligations to its sub-processors.[5]

  1. Subcontracting liability. The data processor must remain fully liable to the controller for the performance of a sub-processor’s obligations.[6]

  1. Responding to data subjects. The data processor must assist its client to respond to requests by a data subject.[7]

  1. Assisting Controller in Responding to Data Breach. The data processor must cooperate with its client in the event of a personal data breach. [8]

  1. Assisting Controller in Creating DPIA. The data processor must cooperate with its client in the event the client initiates a data protection impact assessment.[9]

  1. Delete or return data. The data processor must delete or return data at the end of the engagement.[10]

  1. Audit Right. The data processor must allow its client to conduct audits or inspections for compliance to these obligations.[11]

  1. Cross-border transfers. The data processor must not transfer data outside of the European Union without permission from its client, the data controller.[12]

In comparison, in order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”[13] and only be prohibited by contract from:

  1. Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[14]

  2. Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[15] or

  3. Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”[16]

Note that the CPRA incorporated some, but not, all of the additional processor requirements mandated by the GDPR. For example, the CPRA requires that a service provider must flow down its contractual obligations to subcontractors.[17]


[1] GDPR, Article 28(3)(a).

[2] GDPR, Article 28(3)(b).

[3] GDPR, Article 28(1), (3)(c); GDPR, Article 32(1).

[4] GDPR, Article 28(2), 28(3)(d).

[5] GDPR, Article 28(3)(d) Art. 28(4).

[6] GDPR, Article 28(3)(d).

[7] GDPR, Article 28(3)(e), GDPR, Article 12-23.

[8] GDPR, Article 28(3)(f); GDPR, Article 33-34.

[9] GDPR, Article 28(3)(f); GDPR, Article 35 – 36.

[10] GDPR, Article 28(3)(g).

[11] GDPR, Article 28(3)(h).

[12] GDPR, Article 28(3)(a); GDPR, Article 46

[13] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[14] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[15] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[16] Cal. Civ. Code 1798.140(v).

[17] Cal. Civ. Code 1798.140(ag)(2).

Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 22
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement