In an increasingly digitalized world, privacy management and personal data become crucial aspects for every company. In this article, we will see an overview of the responsibilities and challenges that agencies, freelancers, and consultants must face in the processing of personal data.
1. The agency's responsibility in carrying out activities on behalf of the client
The first point is to understand what responsibilities the agency, or the external consultant, has in carrying out activities on behalf of clients. The European Regulation 2016/679 (known to most by the English acronym "GDPR"), imposes specific responsibilities related to the processing of personal data that can vary by virtue of the role one has in the processing activities themselves.
Regulatory provisions
Considering that the agency (or the individual professional) acts within the scope of the assignment given by the client, a situation arises in which the former processes personal data on behalf of the latter. This situation means that, in most cases, the agency can be classified as a data processor while the client will be the data controller. Let's see - in extreme summary and for the context of this topic - the differences:
- Data Controller: according to the regulation, this is the subject who is responsible for all decisions regarding the processing of personal data and on whom the main obligations of compliance with current regulations fall. The data controller can provide instructions to their processors who must comply with them.
- Data Processor: this is the subject that processes personal data on behalf of the controller. The processor must follow the instructions provided by the controller and ensure the correct processing of the personal data processed. The data processor is also responsible for damages or offenses committed by its sub-suppliers even in processing activities carried out on behalf of the client.
This difference in roles highlights different responsibilities. In fact, the legislation addresses most of the obligations (and sanctions) to the data controller. The data processor will still have to act following the controller's instructions and proposing an approach compliant with the regulation.
So as an agency, and consequently a data processor, you cannot neglect the regulatory aspects concerning privacy because part of the regulatory responsibility also falls on your role.
This means that in managing initiatives on behalf of the client (such as promotional campaigns, collection of new contacts, creation of a new web page, etc.), the agency cannot in any way replace the controller, and therefore the client, in the choices that they are required to make regarding privacy.
For example, if you create a privacy policy independently, you are replacing one of the obligations that by law would belong to the data controller (client). So always be careful to respect the boundary that the regulation draws.
Service standards according to the Privacy Authority
Understanding the difference between roles and responsibilities in privacy management is fundamental to ensure compliance with current regulations. Already starting from 2018, we have an example of a provision by the Data Protection Authority with which a sanctioning measure was applied to a service provider, i.e., a data processor.
This provision analyzed the violations committed by both the controller and the processor, emphasizing the importance of respecting privacy principles, such as "privacy by design" and "privacy by default". These principles require that personal data protection be integrated from the beginning in processes, applications, and approach to the client.
This principle also applies to those who, like consultants, provide services that do not involve the sale of products but solely involve the offer of an intellectual service. For example, a consultant who requests access to all personal data of their client might be violating privacy principles that involve the need to process only the data strictly necessary to achieve the purpose of the processing.
So even the approach of the data processor must be in the logic of compliance with the European Regulation.
This regulatory overview reminds us that agencies and consultants, although often classifiable in the role of data processors, must guarantee a service that provides security and protection of personal data processed, from the beginning of the collaboration.
2. Website & App: responsibility in creating policies, etc
As we've just seen, therefore, the data controller, i.e., probably the client, is the one who is responsible for all decisions regarding the processing of personal data as well as the preparation of documentation to be submitted to the data subject (i.e., the natural person whose personal data is processed).
Creating documentation
Legal documentation plays a crucial role, representing a regulatory obligation which according to the regulation belongs, for the most part, to the data controller (the client).
Among the documents to be prepared in the digital context, we remember:
- Privacy policy: refers to the policies that describe the functioning that the controller has planned with respect to data acquired through the website or App. For example, it is good to ask for how long personal data obtained through a contact form is kept and it is the controller who must establish deletion policies.
- Cookie policy: explains which cookies are installed by the site and the tracking tools that are used by the controller, it is a fundamental document for both web and app.
- Preparation of any consent formulas if the data controller believes that one or more processing operations carried out in the context of websites or Apps are based on this or on another legal basis.
Let's make some practical examples. If you create a contact form for your client, it must be the client themselves who tells you if and to what extent consent must be requested to process the data thus acquired. Similarly, within the privacy policy, the retention time established by the data controller must be clarified, also for personal data collected through the form. When the data processor prepares a document under the controller's competence and provides a timeframe that is not approved, shared and decided by the controller, we are violating the regulatory boundary we talked about earlier. This, in fact, is a decision that must be made by the data controller.
Let's make another example: if your client's site uses only technical cookies, it is not necessary to provide an information banner at the first visit to the website (however, privacy and cookie policies must still be present). The final decision on the possible appearance of the banner at first access remains, however, up to the client although the agency can provide a suggestion in this regard.
So it is always advisable to obtain a form of approval and accountability from the client themselves.
How to proceed?
However, it often happens that the client does not want to deal with these issues, often seen as useless bureaucracy; the agency therefore finds itself in the situation of wanting to propose general content so as to be able to go online with the site or App proposing standard documents, in the erroneous belief of protecting the client themselves. As we have seen, this operating method is not correct.
So what to do in these cases? Here are a series of suggestions:
- Client accountability: remind the client that disinterest or outsourcing an activity does not mean "offloading responsibilities". In fact, even if an agency has been delegated to carry out a project, the responsibility before the authorities lies with the data controller.
- A good practice is to have the contents approved, such as cookie and privacy policy, by the client before they go online.
- Another important point is to assess whether any responsibilities related to the creation of content, such as the privacy policy, are the subject of a specific contractual assignment.
- Selection of suppliers: although it is true that most of the responsibilities remain with the client (data controller), the agency may be called to answer for its sub-suppliers. In fact, as a data processor, you are called to make a careful selection of suppliers: if a supplier fails to fulfill its obligations regarding personal data protection, the processor is jointly liable before the data controller.
- Remember that it is always important to follow the controller's instructions and not decide independently. In this case, in fact, we risk being directly exposed to possible disputes.
3. Inspections and controls: what could the Privacy Authority verify
So far we have talked about some documents to be prepared to be compliant, but what could the Authority actually check in case of inspection?
The elements that the Privacy Authority could verify regarding the compliance of a web page are the following:
- Legal documents: the Authority verifies that the content of Privacy and Cookie Policy is truthful, current and targeted. For example, indicating a profiling treatment that is not done as well as inserting a list of suppliers that is not effective, could lead to the contestation of untruthful information.
- Cookie banner: the Authority can verify the presence and informative content of the banner. In particular, the banner must be compliant with regulations, correct and updated.
- Preventive block: also the effective blocking of non-technical cookies until their actual acceptance is subject to verification by the Authority.
- GDPR compliance: when the Authority subjects a site or an app to controls, it conducts general checks with respect to the European Regulation, verifying that the indications and principles that the regulation provides are respected.
- Legal bases: the Authority will also verify the correct identification of the legal bases of the processing. For example, in case of promotion and marketing activities, such as sending newsletters, it will check that consent has been adequately requested.
How is one contacted by the Privacy Authority?
The Authority can carry out a physical inspection at the company headquarters or can conduct remote inspection activities (by requesting information from the entity under control. In larger or more complex corporate realities, which have a DPO (Data Protection Officer), the Authority can contact this figure directly.
How much are the fines of the Privacy Authority for non-compliance with GDPR?
The amount of fines imposed by the Privacy Authority for non-compliance with GDPR varies greatly. In the past, the Privacy Code provided for minimum and maximum sanctions. Currently, the limits are much higher, potentially reaching millions of euros or a percentage of annual turnover.
The Authority calibrates fines based on the severity of the violation, the number of people involved, the cooperation offered by the company and other relevant factors. In general, for unwanted promotional activities, sanctions tend to be in the order of tens of thousands of euros, but each case is evaluated individually without a fixed standard. The European regulation allows the Authority to modulate sanctions considering various parameters, and therefore there is no predetermined tariff.
What is the probability that the Authority will control an SME?
The probability that the Authority will carry out a control on an SME is variable and not easily quantifiable in percentage terms. The size of the company is a relative factor; for example, a small company that processes sensitive data or data of vulnerable people could be more at risk of a voluntary inspection than a large company with less sensitive data processing.
The Privacy Authority publishes an action plan every six months, indicating the sectors it intends to inspect on its own initiative, randomly selecting companies in various sectors and geographical areas. In addition, the Authority can initiate controls following reports from natural persons who believe that their data has not been adequately processed. Many of the inspections start precisely as a result of such reports.
4. Unwanted communications: how to handle data subject requests
The data subject, i.e., the natural person, has the right to request and obtain information concerning them. For example, they can ask the company what personal data concerning them it has collected, where it collected it, and everything that GDPR provides. Once the request is made, the data subject has the right to receive a response within 30 days.
As an agency or consultants, we must allow our client to respond in the most precise, transparent and fast way possible.
Who does the data subject address
According to the regulation, the competence to respond to requests submitted by the data subject belongs to the data controller.
However, it can happen that the data subject addresses the agency (for example because they directly address the interlocutor of a newsletter). In this case, the request must be shared with the data controller to whom support in management must be guaranteed. Otherwise, we are exposed to a possible direct dispute.
The data controller will respond to the data subject providing them with all the requested information. These may also include: where was the data obtained from? How was consent given? What information do you have about the data subject?
So in the case of a contact arrived via form on the site to subscribe to the newsletter and which is managed by the agency, it is the task of the latter to provide the client with all the useful information to allow them to respond to the request.
Unwanted emails: how to protect yourself?
Here are some key steps to ensure proper consent management and protect yourself.
- The cardinal principle in sending commercial communications is to have obtained specific consent from the person.
- Consent is formally given to the data controller. It often happens that the agency collects it on their behalf.
- Having a consent register allows you to reconstruct when consent was given, with what methods it was collected, prove, as much as possible, the certainty of the person.
- Remember to not populate a newsletter database with contacts that are not covered by consent: if the controller gives a different indication, it must be pointed out.
- Keep track of activities carried out on behalf of clients (consents collected, information provided, etc.).
- Do not take initiatives by responding to the person contesting the lawfulness of the processing without having consulted the actual data controller
I received a lead during a trade show and added it to the mailing list. How can I demonstrate consent?
Demonstrating consent can be a delicate matter. If you're sure the person verbally consented to receive the newsletter during the trade show, it's advisable to send a contextual confirmation email. For example, you can send a message like: "Thank you, [Name], for our exchange at the trade show. As per your request, I've subscribed you to our newsletter. If you've changed your mind, please let me know."
It's important not to use this method to avoid asking for consent. Sending a confirmation email to all collected contacts, regardless of whether they actually requested to be subscribed, makes it more difficult to prove consent. An email doesn't have the same strength as a signed document or a verifiable digital acceptance, such as clicking on a consent checkbox.
Remember that when you collect consent, you must be able to prove it. The validity of consent will depend on the context in which it was obtained. The proposed solution, although operational, has weaknesses regarding the ability to prove consent unequivocally. A signed form or the use of technical tools like QR codes that allow tracking of the subscription are better options.
How important is it to have a consent archive?
Having a consent archive is extremely important both for the data controller and for the processor who collects data on behalf of a client.
Maintaining a record of consent provided by individuals is crucial, especially in case of inspections or if a person requests information about what data we have on them, how we obtained it, and in what way. This archive allows us to reconstruct the history of consent, ensuring transparency and compliance with regulations.
My site complies with all the regulations except for the preventive blocking. Am I still at risk of a fine?
Yes, there is still a risk. Even if the site complies with all other parameters, the absence of preventive blocking means it is not fully compliant with regulations. If a site tracks a person with a profiling cookie without their consent, it is violating regulatory guidelines.
Preventive blocking is one of the fundamental elements for compliance, and its absence can lead to disputes. Each non-compliant element can be subject to sanctions. It's not necessary to have multiple missing elements to incur penalties; even a single deficiency can be contested.
Avacy: CMP for GDPR Compliance
As we've seen, agencies and consultants must ensure that their clients operate in a GDPR-compliant manner. An effective solution in this area is Avacy, a Consent Management Platform (CMP) that allows websites to collect, manage, and document user consent in compliance with regulations. This platform enables the integration of a consent banner for cookies and other tracking, ensuring that users are adequately informed and their consent is obtained before personal data is processed.
With Avacy, agencies can assure their clients that every aspect of consent management is monitored and documented, reducing the risk of non-compliance and potential sanctions.
Try Avacy for free now
Conclusion
Managing privacy and personal data is a fundamental responsibility for agencies, freelancers, and consultants. Understanding the differences between the role of the controller and that of the processor is crucial to avoid sanctions and ensure compliance with regulations. Using tools like Avacy for consent management can simplify this task, offering a secure and compliant solution for collecting and managing personal data. Ultimately, a conscious and responsible approach to privacy not only protects against sanctions but also builds trust and transparency with clients and users.