The role of the GDPR subcontractor in France: practical guide for SMEs and CEOs

‍
Introduction

‍
GDPR compliance has become a major challenge for businesses, regardless of their sector or size. SME managers, who are required to outsource numerous services, must master the concept of GDPR subcontractor, understand the resulting obligations and secure their compliance at each stage of the contractual chain. This article aims to provide you with a complete and concrete overview of the subject, by integrating practical examples, educational frameworks, a focus on contractual drafting and a detailed FAQ.

‍
What is a GDPR subcontractor? (Definition and foundations)

‍
Legal definition of subcontractor in the sense of the RGPD

‍
According to Article 4 of the GDPR, the processor is the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller. It intervenes exclusively on the instructions of the data controller.

‍
Example: A company managing your company's payroll, or a cloud agency hosting your customer data, acts as a GDPR subcontractor.

‍
Distinction between subcontractor and data controller

‍
Law professors and practitioners emphasize the importance of the distinction between subcontractor and data controller. Qualification depends above all on decision-making autonomy on the purposes of the treatment.

‍
The concept in the practice of an SME

‍
The use of subcontracting in the areas of IT, marketing, customer relationship management (CRM), IT maintenance or accounting almost systematically exposes SMEs to the problem of the GDPR for subcontractors. These are everyday situations to watch out for.

Is the GDPR subcontractor directly subject to the GDPR? (Scope of application)

‍
Applicability of GDPR obligations to subcontractors

‍
Contrary to popular belief, the GDPR fully applies to subcontractors. They are required to put in place appropriate organizational and technical measures in order to ensure the security, confidentiality and compliance of the processing.

‍
Any subcontractor operating on the personal data of European citizens is concerned, including if it is located outside the EU and acts on behalf of a data controller established in the EU.

‍
Practical case:

‍
A French SME outsources the management of its website to an agency based in Morocco: this agency will be subject to the RGPD if it processes data from European customers for the SME.

‍
Application of the GDPR to the subcontracting chain (Data processor and subsequent subcontractor)

‍
Any subcontractor must himself contractually supervise the use of the subsequent subcontractor (cascading subcontracting), after express authorization from the data controller.

‍
The main obligations of the GDPR subcontractor

‍
Adherence to documented instructions

‍
The subcontractor can only act on documented instructions from the data controller (article 29 GDPR). Any deviation exposes you to significant sanctions.

‍
Data security and confidentiality

‍
The subcontractor must guarantee the technical and organizational security of the treatments (e.g. encryption, restricted access, traceability logs), as well as the confidentiality of the data.

‍
Example: For a health data host, the establishment of regular security audits and the appointment of a data protection officer are expected measures.

‍
Contribution to the compliance of the data controller

‍
The subcontractor must help the data controller to meet the obligations provided for by the RGPD (e.g.: management of breaches, carrying out impact assessments, etc.).

‍

Transparency requirement

‍
The subcontractor must keep at the disposal of the data controller all the information attesting to compliance with its obligations.

‍
Contractual drafting: the requirement of a contract article 28 RGPD

‍
What does Article 28 GDPR provide for subcontracting contracts?

‍
Article 28 RGPD requires the formalization of a contract or a legal act which must specify, in particular:
• the object, duration, nature and purpose of the treatment,
• the category of data and persons concerned,
• the obligations and rights of the data controller,
• the specific obligations of the subcontractor in terms of security, confidentiality, support, deletion/restoration of data, etc.

‍
Example of a contractual clause:

‍
”The subcontractor undertakes to process personal data only after receiving written and documented instructions from the data controller and to implement all appropriate technical and organizational measures in order to guarantee the security and confidentiality of said data.”

‍
The value of compliance audits for the client

‍
The client has the option (or even the obligation) to audit its subcontractors. The contract should explicitly provide for the modalities and periodicity of these audits.

‍
In practice: include a clause allowing access to premises or systems for audit on reasonable notice.

‍
GDPR audit and subcontractor management

‍
Why and how do you audit your subcontractors?

‍
The RGPD audit of a subcontractor aims to ensure that it complies with all of its technical and organizational obligations (access management, staff training, backups, incident management, etc.).
‍

Key points to check:

‍
• Compliance with security policies
• Traceability of accesses and operations
• Existence of a DPO (data protection officer)
• Holdings of certificates or certifications (ISO 27001, SecNumCloud...)

Practical tools: example of a questionnaire to said GDPR subcontractor: contact me.

‍
Responsibility and sanctions of the GDPR subcontractor

‍
Responsibility of the subcontractor in case of breach

‍
The subcontractor incurs its contractual liability towards the client, but also its administrative responsibility in the event of non-compliance with the RGPD.

Sanctions can reach 10 million euros or 2% of global turnover, depending on the case.

‍
Joint or joint responsibility

‍
Article 82 RGPD provides that a subcontractor may, alongside the data controller, be sued and ordered to compensate any person who has suffered damage as a result of non-compliant processing.

‍
RGPD: subcontractor, data controller, subsequent subcontractor

‍
Difference between data controller and subcontractor

‍
The data controller decides on the purposes and means of the processing. The subcontractor only acts on instructions. The subsequent subcontractor is commissioned by the initial subcontractor with the approval of the manager.

‍
Concrete example: your SME mandates an IT company that subcontracts part of the maintenance itself to a third party company: the latter then becomes a subsequent subcontractor, and must be listed/identified in the initial contract.

‍
FAQ: your questions about GDPR subcontractors

‍
What is a subcontractor in the sense of the GDPR?

‍
A subcontractor is any entity processing personal data on behalf of a data controller, upon formalized instructions.

‍
Does the GDPR apply to subcontractors?

‍
Yes, the GDPR fully applies to subcontractors who process the personal data of European residents, even if they are based outside the EU.

‍
How can the subcontractor be subject to the obligations of the GDPR?

‍
As soon as it processes, even indirectly or by subcontracting in cascade, data of natural persons on behalf of a manager, the subcontractor is subject to the RGPD and must apply all its requirements.

‍
What is the scope of the subcontractor's liability?

The subcontractor is directly responsible to the CNIL and the persons concerned for any breach of its security, confidentiality or cooperation obligations, in addition to its contractual liability.

‍
What should a subcontractor's GDPR questionnaire or audit contain?

‍
A genuine GDPR audit must verify security measures, access management, the procedure in case of violation, the appointment of a DPO, the conduct of impact assessments, as well as the possibility of remote or on-site audit.

‍
What are the risks incurred by a subcontractor in the event of a violation of the GDPR?

‍
Heavy financial penalties (up to €10 million or 2% of turnover), loss of trust, termination of contracts, or even damages.

‍
What are the examples of typical subcontractors for an SME?

‍
• Payroll providers
• Data hosts
• Digital marketing agencies
• Online chartered accountants
• Debt collection agencies

‍
What is the point of formalizing the contractual relationship via article 28 RGPD?

‍
This makes it possible to secure the legal framework, anticipate the management of a possible violation, set audit rules, clarify responsibilities and prove compliance with the CNIL.

‍
GDPR subcontractor: what standard clauses should be included in its contract?

‍
It is necessary to detail the obligations of the subcontractor, the commitment to security, confidentiality, the return/deletion of data at the end of the contract, the audit procedures, the management of subsequent subcontractors, and the notification of breaches.

‍
Points of attention:
• Increased monitoring of the subcontracting chain: always require the express mention and authorization of the use of any subsequent subcontractor, under penalty of non-compliance.
• Documentation: keep all contracts, instructions, audits, and correspondence in full. Proof of compliance is based on documentation.

‍
Conclusion: expertise, vigilance and support

‍
The management of the GDPR by SMEs cannot be limited to a theoretical vision of the obligations of the subcontractor. Operational reality requires integrating these issues into all management actions, from the selection of service providers to monitoring the execution of contracts. The challenge is both legal and economic, and GDPR compliance is now a guarantee of seriousness for customers and partners.

Warning on the use of a legal professional

‍
Personal data law and the consequences of non-compliance with the GDPR are regulated matters, in constant evolution and subject to case law. The support of a specialized lawyer is essential to anticipate and manage all the challenges, secure your contracts and best manage operational risks, especially when your company is involved in complex subcontracting processes.

‍
Article written by Guillaume Leclerc, lawyer in commercial contracts and commercial litigation in Paris.

‍

‍