22 Feb Obligations and responsibilities in supply chain management

Assessing suppliers to prevent unlawful processing and data breaches

1.1 EU Regulation 2016/679 (“GDPR”)

Alongside the steady increase in the use of information technologies which characterizes present-day society, the number of threats to adopted systems has also expanded.  Such threats are amplified by the interdependencies between multiple companies involved in the same supply chain [1]. Due to this fact, both the Italian and the European legislator have turned their attention towards the internal management of organisations, the relations that organizations have with their suppliers, and so-called supply chain incidents [2]. This is also confirmed by the provisions of the GDPR, which mirror the same approach adopted by (repealed) Directive 95/46/EC. In this regard, Article 28 of the GDPR requires the data controller to carefully assess data processors (i.e. suppliers) that process personal data on behalf of the controller, also with regard to the IT security measures offered by the data processors.

1.2 The Italian regulatory framework: the extension of the assessment in the context of the so-called National Cyber Security Perimeter

The Italian legislator has broadened the scope of the aforementioned assessment also to those entities whose activities are of strategic relevance to national security: to this end, Decree-Law no. 105/2019 has established the so-called “National Cyber Security Perimeter” in order to promote greater attention towards cybersecurity issues. In particular, there is an obligation to notify the intention to outsource the provision of ICT goods, systems and services and/or the performance of IT services to the National Assessment and Certification Centre which may then carry out preliminary assessments and impose conditions and tests on hardware and software in security audits.

Some relevant issues: consequences of failure to assess suppliers

2.1 The liability of the data controller

The verification of processors carried out pursuant to Article 28 GDPR aims to ensure the implementation of appropriate technical and organisational measures to guarantee and demonstrate the lawfulness of a processing activity and the protection of data subjects’ rights. In this sense, appropriate assessments could prevent the data controller from being held liable for culpa in eligendo if the suppliers appointed for the processing activity disregard the suitability and adequacy requirements imposed by the controller and ensured by the processor.

However, this would not be sufficient to rule out the liability for culpa in vigilando throughout the duration of the contractual relationship, during which the data controller is required to carry out, on a constant and regular basis, appropriate audit and inspection activities (e.g. through specific second party audits) [3]. It should also be considered that the resulting liabilities are not only those provided under Article 28 GDPR.

2.2 Liability of the data processor

The data processor is to be held liable for unlawful processing activities when it (or its sub-processors) fails to comply with its obligations under the GDPR and when it acts outside or contrary to the lawful instructions provided by the data controller.

2.3 Additional sanctions for companies of “strategic importance”

It should also be noted that, in addition to the administrative sanctions provided for by the GDPR, the aforementioned Decree-Law no. 105/2019 establishes, among others, administrative sanctions for the violation of the imposed notification obligations in the event of non-compliance with the required security conditions or in the absence of the favourable outcome of the tests required by the National Assessment and Certification Centre. In such cases, supply contracts, even if already signed, will not produce effects or will cease to produce them.

Practical implications: how to conduct effective assessments of processors

The risk-based approach, which also underpins Italian legislation [4], is commonly acknowledged in international standards on information security, providing a single framework to assess the adequacy of the supply chain. The data controller is therefore required to identify, prevent and manage the risks that might arise from its processing activities and is also called upon to identify risks related to the supply chain. In order to carry out such verifications or assessments, international standards, in particular the provisions of the ISO 31000:2018 on risk management, provide an effective methodology to manage risks that arise as a result of business activities. The adequacy assessment of the technical and organisational infrastructure of a supplier can also be carried out according to the international standards of ISO/IEC 27001:2013, in which the best practices for an Information Security Management System (also called ISMS) are described, and ISO 22301:2019, which concerns the activities to be implemented in order to create an effective Business Continuity Management System (so-called BCMS).

Further assessments should also be carried out on the basis of specific provisions issued by the Italian Data Protection Authority, including (for example) those included in Annex B to the repealed Italian Personal Data Protection Code (Legislative Decree no. 196/2003) [5],  the provisions on system administrators, those on the tracking of banking transactions, the general authorisations [6], and Articles 25, 32 and 35 GDPR.

References:

[1] The term “supply chain” refers to the management of the distribution chain relating to a product and/or service and, in this case, also to the relationship between the contractor-supplier and the data controller-data processor.

For further details: Mentzer, J.T. et al (2001): Defining Supply Chain Management, Journal of Business Logistics, Vol. 22, No. 2, 20.

[2] The term “supply chain incident” refers to the possibility that a data breach does not occur directly at the business data controller, but at that of one of its suppliers, duly appointed as a data processor pursuant to Article 28 GDPR.

[3] Injunction order against Wind Tre S.p.a. – 9 July 2020 (Italian language version): https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9435753

[4] It should be noted that, during the amendment of the Italian Personal Data Protection Code in order to align it with the GDPR, Annex B which contains the minimum security measures for the protection of personal data, was repealed. In this regard, it should be also mentioned that the prior notification under Article 17 of the Italian Personal Data Protection Code and Articles 31 – 36 of the Italian Code were also repealed.

[5] See the analysis of the remedial provision issued by the Italian Data Protection Authority against Aruba PEC (Italian version): https://www.ictlegalconsulting.com/2020/04/14/security-measures-old-acquaintances/?lang=en

Link to the provision of the Italian Data Protection Authority (Italian language version): https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9283040

[6] Measures and arrangements applying to the controllers of processing operations performed with the help of electronic tools in view of committing the task of system administrator – 27 November 2008: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1628774

Requirements for the circulation of bank information and the tracing of bank transactions – 12 May 2011 (Italian version): https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/1813953

General authorisations of the Italian Data Protection Authority (Italian version): https://www.garanteprivacy.it/home/provvedimenti-normativa/provvedimenti/autorizzazioni