Data Processing Authorization Requirements for Customer Service Employee Under GDPR

Question

We're hiring a customer service employee to work with non-sensitive customer data and have trained them in data protection.

What must we include in their data processing authorization to comply with GDPR?

Executive Summary

In response to compliance under GDPR when hiring a customer service employee, your data processing authorization should encompass the following critical aspects:

  • Controller vs. Processor Role: Define whether the employee acts as a data controller or a data processor to establish their level of authority and responsibility.
  • Data Processing Limitations: The document must clearly specify the types of non-sensitive personal data being processed, the intended purposes, and the principle of data minimization.
  • Lawful Basis and Consent: Identify the lawful basis for processing data such as consent or contractual necessity and articulate the methods for obtaining and withdrawing consent.
  • Data Subject Rights: Include how the rights of access and objection by data subjects are protected and exercised, respecting GDPR’s stipulations on subject rights.
  • Security and DPO Interaction: Mandate appropriate security measures and define protocols for regular engagement with the Data Protection Officer (DPO) to ensure ongoing compliance.

These points will guide you to draft an authorization that aligns with GDPR requirements, securing non-sensitive customer data and elucidating your employee’s obligations.

Legal trace

Understanding the Employee’s Role and Data Categories

’controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Article 4(7)

The customer service employee’s data processing authorization should clarify whether they will operate with the discretion and authority of a data controller or simply carry out tasks as a data processor. If acting as a controller, the employee’s authorization must encompass widespread accountability for GDPR compliance.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); Article 4(1)

Given the context of their work, the employee’s authorization document must specify that only non-sensitive personal data, as defined here, will be processed and make clear the distinct operations permissible under that scope.

Embedding Data Processing Principles

Personal data shall be… collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; …adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Article 5(1b-c)

The authorization must state the intended purposes for data collection and limit use strictly within these confines. Data minimization principles ensure the employee processes no more data than needed.

Establishing a Lawful Basis for Data Processing

Processing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent…; processing is necessary for the performance of a contract…; processing is necessary for compliance with a legal obligation…; Article 6

The authorization needs to incorporate the lawful basis according to which the employee will process data, whether it be consent, contractual necessity, compliance with legal obligations, or another rationale detailed within Article 6.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. Article 7(1)

Should consent be the chosen legal basis, it is essential to document how consent is obtained and may be withdrawn, affirming this right plainly within the authorization.

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed; The data subject shall have the right to object… (Articles 15 and 21(1))

The rights of access and objection should be respected, and the authorization should provide an explanation of how data subjects might exercise these rights.

Controller and Processor Obligations

Taking into account the nature, scope, context and purposes of processing…the controller shall implement appropriate technical and organisational measures. Article 24(1)

The authorization document must embed the responsibilities of the controller, involving extensive GDPR compliance through procedural and systemic safeguards.

The processor shall not engage another processor without prior specific or general written authorisation of the controller. Article 28(2)

If the employee operates as a processor, the document must include the procedures for sub-processing, should it be necessary, along with an emphasis on security measures per Article 32, detailing the technical and organizational methods for data protection.

DPO Interaction

The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. Article 38(1)

It is crucial to describe the protocols for interaction with the Data Protection Officer, ensuring the employee knows when and how to engage with the DPO on relevant matters of data protection.

In conclusion, a comprehensive data processing authorization for a customer service employee handling non-sensitive data must be multi-faceted and clear. It must designate whether they will act as a controller or processor, outline the types of data and processing activities involved, establish a legal basis for the processing, and ensure consent procedures and data subject rights are detailed and respected. Obligations specific to controllers or processors must be integrated, with an emphasis on security practices. The interaction with the Data Protection Officer should be clearly stated, upholding GDPR compliance across all facets of the employee’s role.

PDF Repository

We have searched through the PDF repository of ECJ rulings, European Data Protection Board guidelines, and other documents to provide this supplemental answer.

Details

This supplemental answer provides additional insights into the GDPR obligations for a customer service employee's data processing authorization. The following excerpts weave through the legal interpretations and guidance from GDPR-related documents, offering a deeper understanding of the intricacies involved in creating an authorization that is robust, clear, and compliant with GDPR.

Legal trace

The concepts of controller, joint controller, and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). Guidelines 07/2020 on the concepts of controller and processor in the GDPR, page 3

This quote sets the foundation by differentiating between the roles of controllers and processors under the GDPR, emphasizing that these definitions significantly influence responsibility and data subject rights. When drafting an employee’s authorization, a company must clearly delineate these roles.

The processor must not process the data otherwise than according to the controller’s instructions. (…) Controllers must provide its processors with instructions related to each processing activity. (…) The processor shall not go beyond what is instructed by the controller. (…) Because such instructions must be documented, it is recommended to include a procedure and a template for giving further instructions in an annex to the contract or other legal act. Guidelines 07/2020 on the concepts of controller and processor in the GDPR, page 34

This excerpt underlines the integral nature of instructions given by the controller to the processor and the importance of documentation and clarity for each processor’s activity. It brings attention to the necessity of articulating processing terms explicitly within an employee’s data processing authorization.

The contract must say that the processor needs to ensure that anyone it allows to process the personal data is committed to confidentiality. This may occur either via a specific contractual agreement, or due to statutory obligations already in place. Guidelines 07/2020 on the concepts of controller and processor in the GDPR, page 35

Confidentiality is underscored here for individuals authorized to process data. An authorization document must therefore embed confidentiality obligations, reflecting GDPR mandates.

A processor infringes the GDPR, however, if it goes beyond the controller’s instructions and starts to determine its own purposes and means of the processing. The processor will then be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions. Guidelines 07/2020 on the concepts of controller and processor in the GDPR, page 4

This stresses the liability of the processor stepping outside the bounds of the controller’s instructions and indirectly stresses the importance of clear and detailed boundaries in the authorization to avoid reclassification as a controller and potential sanctions.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. (…) The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent. Judgment of the Court (Fourth Chamber) of 27 October 2022, page 6

This excerpt highlights the critical requirement for clear, demonstrable consent in data processing and the necessity for easy withdrawal of consent. It aligns with the employee’s authorization needing to include consent-related protocols as stipulated in the main answer.

Processing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of his or her personal data for one or more specific purposes; … processing is necessary for the performance of a contract…; processing is necessary for compliance with a legal obligation…; Judgment of the Court (First Chamber) of 30 March 2023, page 6

This further solidifies the criteria for lawful processing and represents the various legal bases that might be applied to employee data processing activities under GDPR.

The right to data portability typically applies only if the processing is based on a contract to which the data subject is a party. (…) the right to data portability only applies if the data processing is “carried out by automated means”, and therefore does not cover most paper files. Guidelines on the right to data portability, page 8

Portability, relating to the transferability of personal data, is detailed here, which can impact how consent and data subjects’ rights are framed in the authorization document, especially in digital versus paper-based processing.

The WP29 considers that to give its full value to this new right, “provided by” should also include the personal data that are observed from the activities of users such as raw data processed by a smart meter or other types of connected objects, activity logs, history of website usage or search activities. Guidelines on the right to data portability, page 9

This elaboration on what constitutes “provided by” the data subject for the purpose of data portability includes data resulting from interactions with services. This could influence the treatment of such data under the GDPR and should be reflected in processing authorizations.

The absence of an arrangement determining joint responsibility, pursuant to Article 26 of the GDPR, or of a record of processing activities, within the meaning of Article 30 of that regulation, is not sufficient in itself to establish the existence of an infringement of the fundamental right to the protection of personal data. Judgment of the Court (Fifth Chamber) of 4 May 2023, page 16

The final quote clarifies that non-compliance with some GDPR provisions, such as Articles 26 and 30, does not automatically result in ‘unlawful processing’, absolving the need for erasure or restriction based on such grounds. This underlines the importance of understanding the nuances of compliance and potential consequences.