Data Processors for Privileged International Organisations are Freaking Out under GDPR!

The General Data Protection Regulation (GDPR) was published by the EU as a new Regulation (EU) 2016/679 for the protection of natural persons with regard to the processing of personal data and the free movement of such data.

Information Management and Legal teams from treaty/privileged international organisations operating in Europe such as the United Nations are still struggling to understand GDPR. Their vendors are even in a bigger quagmire and they are freaking out. Privileges and immunities usually come from three areas, treaties, international agreements, host-state agreements and domestic law. It is not yet clear to all how the above would be harmonised to address conflict with respect to GDPR.

Most International Organisations (IOs) have no choice but to one way or the other work with other parties that are subject to the EU law through outsourcing, cloud, contractors etc. This means that the new law does have both direct and indirect effect on “immune” IOs. To compound the matter, parties such as contractors, vendors, cloud operators etc. that process data on behalf of the IOs are pressured by the law to review their contractual agreements to line up with GDPR. But many are freaking out because IOs claim immunity and exemption from legal process and will not sign GDPR contract addendums.

Main Considerations for IOs

The GDPR principle of processing of data lawfully (Article 5, GDPR) does require that all such contracts be reviewed.

Third parties are be required under the law using the principle of specification and limitation (Article 5, GDPR) to visibly define the purpose of processing IOs data.

In the principal of data quality (Article 5, GDPR), the third parties need to have specific retention and quality agreements with the IOs regarding the data they process and even more important where exemptions to disposition exist.

Articles 12-22 of the GDPR detail the rights of data subjects, through the fair processing principle, that makes it illegal to process personal data covertly through parties subject to GDPR unless permitted by the law.

Through the principle of accountability, IOs even though they are immune have a duty to ensure that their processing parties actively implement data protection according to the law. This is because IOs cannot exempt their data processing parties from complying with the law.

Lingering Questions

The following are some of the questions that remain unanswered in this regard:

1.      To what extent are Treaty based international organisations such as the UN subject to compliance requirements of the law?

2.      Should we assume that the GDPR does not affect the validity of elements of existing international agreements that touch on information sharing, concluded by the Member States such as Host-State Agreements?

3.      Should such international organisations consider practical changes to their data processing contracts e.g., to enable them to quickly identify and isolate all copies of all personal data relating to EU subjects (e.g. contractors, staff, EU intermediaries, Visitors e.t.c)?

4.      Can international organisations provide cover for data processors by claiming legitimate interests as the statutory basis for the processing of personal data in the course of ordinary business activities?

5.      It is clear vendors are not exempt but are staff, consultants, contractors and interns exempt from liability for harm arising in cases of infringement of the regulation (e.g. UN Staff transmitting personal data to vendors within and outside EU without seeking the permission of the local Data Protection Authority (DPA)? And can staff of IOs claim their rights under GDPR with respect to their personal data in the hands of third-party processors?

6.      The GDPR imposes legal compliance obligations directly on data controllers and processors. To what extent should procurement departments in IOs be requesting their vendors, consultants and contractors to demonstrate compliance with the GDPR before engaging contracts involving the handling of personal data or can privileged/diplomatic staff feign ignorance?

7.      How urgently should internal actions be taken to update documentation, policies, procedures, and processes, as well as training of staff on how to handle personal data to comply with this law?

If you have completed previous analysis on this law and its impact to data processes in international organisations such as UN kindly do share. Contributions to this discussion are welcome.