Do you have a key processor of your IT systems?
The obligation of diligence and verification that the processor maintains secure systems is the responsibility of the data controller as can be seen in a recent Resolution of the AEPD that establishes a Penalty of 𝟮𝟬𝟬𝟬𝟬𝟬 to a hospital center for security deficiencies in its hospital management system.
Article 28 of the GDPR: Relationship between Controller and Processor
The case exposes specific flaws in the legal relationship between the hospital (data controller) and the company providing and managing the software (processor), in accordance with the provisions of Article 28 of the GDPR:
- Data Processor Contract: The GDPR establishes that the data controller must only contract with data processors that offer sufficient guarantees to implement the necessary security measures. The AEPD Resolution considered that the contract with the technology company did not adequately detail the required data protection measures, and the hospital did not carry out a thorough verification of the company's ability to comply with the GDPR rules.
- Oversight of the Supervisor: The AEPD also found that the hospital did not adequately monitor the supervisor's compliance with the security measures. This included periodic audits and security reviews to ensure that security policies and measures were effectively implemented. The lack of oversight facilitated an environment where deficiencies went unnoticed, resulting in significant vulnerabilities to patient data.
- Shared Risk Assessment and Management: Although the processor is responsible for implementing the necessary security measures, the AEPD recalls in its Resolution that the controller must verify and require that such measures are effective and sufficient. In this case, the hospital did not coordinate adequately with the technology company to assess and manage the risks associated with the processing of personal data. No security audits were conducted, nor was there coordination to mitigate the identified risks.
- Liability: In the event of non-compliance, both the controller and the processor may be liable for breaches, in accordance with the provisions of the GDPR. The sanction imposed on the hospital illustrates that both the controller and the processor have obligations to ensure data security, and that liability is not limited to the processor alone.
Conclusion
This sanctioning resolution of the AEPD illustrates the importance of proper implementation of security measures and rigorous compliance with the obligations of data controllers and processors in data protection. The GDPR emphasizes that both must act diligently to protect the rights of data subjects, in this case patients, and ensure that the processing of their data is carried out in a secure and compliant environment.
