Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?

Data Protection & Cyber Security

Russia Small Flag Russia

The laws apply first of all to data controllers who are responsible for activities of the data processors engaged. Most of obligations under Russian PII laws are addressed to the data controllers, not processors. Some provisions (e.g., regarding general rules on data security) apply directly both to controllers and processors.

Where service provider is an independent data controller, all obligations are imposed on such provider by virtue of law and it bears all regulatory risks. However, in most cases the service providers engaged in data processing position themselves as data processors.

The scope of obligations of data processors and data controller are pretty the same. Data processors are also obliged to apply requirements of Russian data legislation, maintain confidentiality of PII as well as implement security measures provided for by the legislation. However, more precise scope of the processor’s security measures shall be specified in the controller’s assignment/instructions. So, although the general security obligation applies to the data processor (service provider) directly by virtue of law, the way to comply with such obligation shall be agreed with the data controller.

The important regulatory difference between these two roles is that data processors are not obliged to obtain consents of data subjects or verify whether there are other legal grounds enabling them to process the data since this is an obligation of data controllers. The data processors are accountable only to data controllers and not data subjects. Therefore, data controllers take all responsibility for the violations committed by data processors before data subjects.

There were some drafts bill suggesting to impose more obligations directly on processors. However, they have not been enacted.

Argentina Small Flag Argentina

The Data Protection Law specifically regulates certain aspects of the relationship between data controllers and data processing services providers.

The Data Protection Law establishes the need for a data processing agreement when data processing services are provided. The data may only be used for the purpose provided in the agreement, and may not be assigned (even for its storage). Additionally, once the data processing services have been rendered, the data must be destroyed unless there an express authorization from the data controller, when it can be reasonably presumed that further services will be required. In that case, the data can be stored for 2 years.

Brazil Small Flag Brazil

The data controller or data processor who, as a result of carrying out activities of processing personal data, causes material, moral, individual or collective damage to others, in violation of the legislation for protection of personal data, is obligated to redress/repair it.

The data processor is jointly liable for any damages caused by the processing if it fails to comply with the obligations of the data controller, or fails to follow the lawful instructions of the controller in which case the processor is deemed equivalent to the controller, except if they prove that:

  • They did not carry out the processing of personal data that is attributed to them;
  • Although they carried out the personal data processing attributed to them, there was no violation of the data protection law;
  • The damage results from exclusive fault of the data subject or any third party.

Bulgaria Small Flag Bulgaria

GDPR as well the PDPA apply directly to both the owner of PII (the data controller) and the service providers that process PII, irrespective of whether the latter process the PII on behalf of the owner (as data processors) or for their own purposes (as data controllers).

When service providers act as data processors (and process PII solely on bahalf of the owner and under the latter’s instructions), the relations between them and the owner have to be arranged by a written contract or other written and binding legal act, containing and setting up the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the rights and obligations of both parties (Article 28 GDPR).

Notwithstanding the obligation to settle controller-processor relations in writing, both GDPR and the PDPA contain provisions which directly apply to data processors, such as the obligation to observe the general principles for data processing, to keep records of data processing activities, to implement appropriate technical and organisational measures to ensure an adequate level of data security, etc.

Switzerland Small Flag Switzerland

Many obligations in the FADP explicitly address the controller of the data file (for example the right to access or the notification of data files to the FDPIC). Other provisions do not only address the controller of the data file, but any person who processes personal data. This is the case for the general data processing principles (art. 4 et seq. FADP) or the data security obligation (see art. 7 FADP).

Furthermore, art. 10a FADP sets out the following: The processing of personal data may be assigned to third parties by agreement or by law if:

  • the data is processed only in the manner permitted for the instructing party itself; and
  • it is not prohibited by a statutory or contractual duty of confidentiality.

The instructing party must in particular ensure that the third party guarantees data security.

Spain Small Flag Spain

The GDPR regime applies to any service provider who accesses personal information in the course of providing a service to a Controller, regardless of whether or not a formal data processing agreement (DPA) has been signed. However, the signing of this type of contract is a mandatory legal requirement for this type of relationship, so its absence implies that the obligations of the parties regarding data protection will not be well defined. Consequently, in case of infringement of the data protection obligations by any of the parties, the non-existence of this contract may lead to co-liability and/or higher penalties.

Chile Small Flag Chile

Yes, the Data Privacy Act apply directly to service providers that process PI because of all processing of PII is covered. In the Data Privacy Act, data processing is defined broadly as any action or set of technical operations or procedures, automated or not, that make it possible to collect, store, record, organize, prepare, select, extract, match, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use it in any form. Hence, there is no difference made between those who control or own PII and those who provide PII processing services to owners.

The Data Privacy Act only mentions to the person responsible for a data registry or a bank, which means any private legal entity or individual, or government agency, that has the authority to implement the decisions related to the processing of personal data. Therefore, there are no unlike duties for owners, controllers or processors. Still, government agencies can only process data regarding matters within their respective legal authority and subject to the rules set out in the Data Privacy Act.

Germany Small Flag Germany

The GDPR applies to the processing of personal data by a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU or not. So effectively the GDPR directly applies to service providers processing personal data in the EU.

Certain contractual requirements are obligatory in data processing agreements between a controller and a processor processing personal data on behalf and subject to the instructions of the controller. In case the processor uses another subcontractor, the level of data protection cannot be lower than the level outlined in the primary data processing agreement according to Art. 28 (4) GDPR. Thus, such contracts usually contain flow-down provisions.

India Small Flag India

Privacy Rules

The Privacy Rules apply directly to body corporates who collect, receive, possess, store etc. PII and sensitive PII.

While such body corporates may transfer information of Data Subjects to third parties (such as to third party service providers for processing), such transfer is permitted subject to the condition that the transferee ensures the same level of data protection that is maintained by the transferor, minimum standards for which are provided under the Privacy Rules.40

Hence, service providers may be statutorily liable for negligence.

Privacy Bill

The Privacy Bill permits data fiduciaries to appoint data processors41 to process PD on their behalf. These data processors will be authorized to process PD as per instructions of the data fiduciaries. The Privacy Bill contains several provisions that apply directly & equally to data processors and data fiduciaries.

40- Please see our response to Query 15 below in relation to conditions governing transfer of PII and sensitive PII.
41 - "Data processor" is defined in the Privacy Bill to mean "any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary".

China Small Flag China

Laws in China apply directly to service providers that process personal information. The CSL regulates network operators that are defined to include the owners, administrators and providers of network systems. Virtually, all companies involved in any kind of Internet-based services will be subject to the CSL and its accompanying law including service providers that involved in Internet-based services.

Although the PI Specification mainly regulates personal information controllers, it also lays out a number of requirements for the delegated processors to follow:39 (1) process the personal information strictly in accordance with the instructions of the personal information controller. If the delegated processor cannot process the personal information according to the requirements of the personal information controller due to special reasons, the delegated processor shall promptly inform the personal information controller; (2) obtain the authorization of the personal information controller in advance if the delegated processor needs to redelegate the processing; (3) assist the personal information controller in responding to the requests from the personal information subject; (4) promptly inform the personal information controller if the delegated processor cannot guarantee a sufficient level of data security protection or encounters a safety incident during the processing of personal information; (5) no longer retain the personal information once the delegation relationship terminates.40

39 - PI Specification. 8.1 c).
40 - PI Specification. 8.1 c).

Indonesia Small Flag Indonesia

Ideally, MCI Regulation 20/2016 applies to the entire handling processes of Personal Data, starting from collection to processing of the same. Consequently, any ESO that take up any of the handling process of Personal Data should also be bound to MCI Regulation 20/2016.

Nevertheless, in terms of implementation of individual rights, we are of the view that MCI Regulation 20/2016 does not automatically stretch to the Data Processor. Since Data Processor that acquires Personal Data from the Data Controller will only act on behalf of the latter, ESO collecting the Personal Data (i.e., Data Controller) is the one that possesses direct responsibility to the relevant Data Subject. Therefore, in the event the Data Subject wishes to do certain actions or file requests against the Data Processor, it shall be made through the Data Controller.

Portugal Small Flag Portugal

Yes. GDPR provisions apply directly to data processors. Notwithstanding, processors shall also comply with any additional contractual provisions they have committed themselves vis-à-vis the controller, including any lawful instructions of the controller regarding the data processing.

United Kingdom Small Flag United Kingdom

Processors do not have the same obligations as controllers and do not have to pay a data protection fee. However, they do have a number of direct obligations of their own.

New statutory obligations are imposed on processors in relation to processing contracts, security measures, security breach notifications, data protection officers and record-keeping.

Processors are also subject to the relevant investigative and corrective powers of a supervisory authority (such as the Information Commissioner's Office) and may be subject to administrative fines or other penalties for breaches of its direct obligations under the Data Protection Act 2018 . They may also be contractually liable to the controller for any failure to meet the terms of its agreed contract. This will of course depend on the exact terms of that contract.

Any party can also bring a claim directly against a processor. A processor can be held liable to pay compensation for any damage caused by its processing (including non-material damage such as distress). The processor will only be liable for the damage if:

  • they have failed to comply with the provisions specifically relating to processors; or
  • they have acted without the controller’s lawful instructions or against those instructions.

Processors will not be liable if they can prove they are not in any way responsible for the event giving rise to the damage.

If processors are required to pay compensation but are not wholly responsible for the damage, they may be able to claim back from the controller the share of the compensation for which they were liable.

Sweden Small Flag Sweden

The GDPR is most often directly applicable to processors that process personal data although the controller is responsible for making sure, and be able to demonstrate compliance with, all privacy principles described under question 4 are adhered to.

Further, the Data Protection Act is to a limited extent also applicable to processors. The Data Protection Ordinance is however not applicable to processors.

Greece Small Flag Greece

It is clear from the wording of article 3 paras 1 and 2 of the GDPR that the latter applies directly to both the data controller and the data processor.

Moreover, at national level, article 3 par. 3 of L. 2472/1997, as well as article 1 par. 8 of the Greek draft law provide for the direct applicability of their provisions to both the data controller and the data processor.

However, there are both national and GDPR provisions that, taking into consideration the nature and scope of each role, distribute specific responsibilities and distinct obligations upon the data controller and the data processor.

In addition, and in accordance with article 28 of the GDPR, a contractual relationship between the controller and the processor, the exact content of which is specified in the above article, is required and includes the details mentioned above, in previous question.

Turkey Small Flag Turkey

The obligations set forth under the local data protection legislation are generally required to be complied with by the data controllers. However, with respect to ensuring compliance with the obligations concerning personal data security, data controllers and third-party service providers acting as data processors are jointly and severally liable.

Austria Small Flag Austria

In many cases, the data protection provisions apply (also) directly to processors, in particular the provisions of the GDPR (e.g. security of processing, appointment of a data protection officer).

In addition, legal obligations that affect the controller are often passed on to the processor by contract.

France Small Flag France

Under GDPR and under the French DPA 1978, processors have a number of direct obligations of their own concerning for instance security measures, security breach notifications, data protection officers and record-keeping.

Processors are also subject to the relevant investigative and corrective powers of the supervisory authority and may be subject to administrative fines or other penalties for breaches of its direct obligations. They may also be contractually liable to the controller for any failure to meet the terms of its agreed contract. This will of course depend on the exact terms of that contract.

Any party can also bring a claim directly against a processor. A processor can be held liable to pay compensation for any damage caused by its processing (including non-material damage such as distress). The processor will only be liable for the damage if:

  • they have failed to comply with the provisions specifically relating to processors; or
  • they have acted without the controller’s lawful instructions or against those instructions.

Processors will not be liable if they can prove they are not in any way responsible for the event giving rise to the damage.

If processors are required to pay compensation but are not wholly responsible for the damage, they may be able to claim back from the controller the share of the compensation for which they were liable.

Guidelines about processors have been published by the CNIL on September 2017 and provides with a lot of information for processors on their own obligations and how to be compliant with them.

However, specifically, some other laws may apply, for example, to health data hosting providers which are subject to the provisions of the Public Health Code.

United States Small Flag United States

U.S. privacy laws generally do not apply directly to service providers, and most requirements stem from flow-down data owner contractual requirements. There are, however, several sector-specific federal laws, such as HIPAA, GLBA, FCRA, FERPA and COPPA, that may require certain service provider activities and apply related standards. In addition, federal procurement programs, such as the Defense Federal Acquisition Regulations Supplement (DFARS), may require entities servicing the federal government to maintain adequate security and apply protective measures to prevent the loss of, misuse of, unauthorized access to or modification of information. Finally, the new CCPA regulates service providers and has complex provisions regarding when making PI available to a vendor is or is not a sale subject to a “do not sell” request and when the business and the service provider are or are not entitled to a safe harbor as to the other’s noncompliance with the law.

Malaysia Small Flag Malaysia

Under Section 2, the PDPA applies to any person who processes, as well as any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions.

Gibraltar Small Flag Gibraltar

GDPR requires the contracting data controller or data processor to ensure that any person or entity engaged to carry out functions on their behalf adheres to the requirements of GDPR. This must be done by way of a written contract which sets out the responsibilities and obligations of each party. Minimum contract terms are set out in point 14 below.

Ireland Small Flag Ireland

Processors do not have the same obligations as controllers, but they do have a number of direct obligations of their own.

New statutory obligations were imposed by the GDPR and DPA 2018 on processors in relation to processing contracts, security measures, security breach notifications, data protection officers and record-keeping.

Processors are also subject to the relevant investigative and corrective powers of the DPC, and may be subject to administrative fines or other penalties for breaches of their direct obligations under the DPA 2018. They may also be contractually liable to the controller for any failure to meet the terms of their agreed contract. This will of course depend on the exact terms of that contract.

A processor can be held liable to pay compensation for any damage caused by its processing (including non-material damage such as distress). The processor will only be liable for the damage if:

  • it has failed to comply with the provisions specifically relating to processors; or
  • it has acted without the controller’s lawful instructions or against those instructions.

Processors will not be liable if they can prove they are not in any way responsible for the event giving rise to the damage.

Japan Small Flag Japan

The laws are directly applicable to service providers. For example, service providers have a legal obligation to provide secure management of personal information (APPI, Article 20). Also, service providers must execute a service agreement and pursuant to such service agreement, are contractually obligated to protect personally identifying information (APPI, Article 22).

Updated: September 16, 2019