IT Outsourcing: Data Protection Requirements for IT Service Providers (EU-GDPR)

Your questions answered on EU Data Protection Regulation Regulation in the context of nearshore outsourcing

IT Consulting/Digital TransformationUPDATED ON February 13, 2023

Cover image for blog on GDPR rules and considerations in the context of IT outsourcing and software development services

As a provider of IT outsourcing services, GDPR compliance is an important topic for us. It is also often a hugely important consideration for our mainly EU-based clients.

Data Protection Regulation (GDPR), which has been in force since May 25, 2018, aims to unify data protection for individuals in the European Union. In this article, we give you an overview of all the important changes and obligations you should be aware of if considering outsourcing software or IT projects.

IT services and software development projects often involve access to and the transfer of data and, as such, may be subject to GDPR compliance and considerations. Sometimes that means the IT specialists working on these projects, and their employers, must be EU-based. Or that GDPR-compliant systems and infrastructure need to be carefully set up.

For organisations working with IT outsourcing companies who often employ specialists based in and outside of the EU, it’s important to understand the GDPR rules that may restrict who works on their software development and other IT projects and in which roles or capacity.

This article aims to give you a broad understanding of the GDPR conditions that may influence your choice of IT outsourcing provider and how you work with them. We have also put together a  comprehensive list of FAQs we have encountered on questions about IT service providers and software development outsourcing.

For more practical tips on protecting your organisation against potential GDPR breaches by an IT outsourcing partner, including a checklist for assessing their GDPR compliance, what to include in the service contract, how to monitor compliance with the contract and how to respond to a data breach should it happen, you can refer to this article:

Navigating GDPR requirements in IT outsourcing: Everything you need to know to protect your organisation against potential data protection and privacy laws infringements in the context of IT outsourcing partnerships

None of the below should be considered legal advice, which we are not qualified to provide. It is an introductory overview only and you should seek qualified legal counsel on GDPR questions you may have on IT outsourcing topics.

Can We Help You With Your Next Software Development Project?

Flexible models to fit your needs!

What is the General Data Protection Regulation GDPR?

A data protection reform was passed by the European Parliament in March 2014, before the full legal text of the General Data Protection Regulation (GDPR) replaced the outdated 1995 Data Protection Directive 95/46/EC. As of May 25, 2018, General Data Protection Regulation (GDPR) has applied to all companies that collect, store or process personal data of EU residents.

What does the GDPR mean for my company?

The General Data Protection Regulation (GDPR) states that companies should more strictly control how personal data is stored and used. This is to protect the right to privacy of every individual in the European Union. This means that IT infrastructure, software, systems and processes must be audited for applicable GDPR regulations. Here are some steps you can take as a company:

  • Inform all employees about the GDPR regulations.
  • Make sure your employees are aware of the GDPR framework and train them regularly, including employees in home offices.
  • Assess/document what personal data you hold.
  • Organise an information audit if necessary.
  • Review the GDPR regulations/processes to avoid fines.

What is personal data?

Any information relating to an identified or identifiable natural person is considered “Personal Data”. This includes name, telephone number, location data or online identifiers such as IP address and cookies. So-called “sensitive” personal data includes, for example, ethnic origin, political or religious beliefs, and memberships or genetic/biometric data. Any information that allows identification of the individual.

IT outsourcing: data protection for IT service providers

Information including employee data, customer data and other confidential and sometimes personal information is now often stored in a company’s internal IT systems. As such, contracted IT service providers often have access to this data. As soon as any access to the IT infrastructure is handed over to an external software development company, personal data such as employee or customer data is usually affected.

If the IT service company processes the data, it must comply with the obligations of the GDPR, even if this data is stored on its own servers or in the cloud. The framework of requirements and obligations to comply with the GDPR should be clarified in advance with IT service providers for software development. The most important questions to ask are:

  • Who bears the responsibility for compliance with the GDPR?
  • Is the data processed inside or outside the EU?

1.    IT outsourcing: Who is responsible for the GDPR?

The “responsible party” for ensuring GDPR compliance is the person, institution or organization that decides on the purpose and means of processing the personal data. Accordingly, it must be clarified whether there is commissioned processing or joint responsibility with the IT service provider.

In the case of commissioned processing, the service provider is considered a supporter and is  considered an extended arm of the client. As such, the responsibility of GDPR compliance remains with the project sponsor..

An order processing agreement must now be drawn up. According to this, the commissioned IT service provider of the software development project may only use data for a specific purpose and in accordance with the client’s instructions. As soon as the service provider violates this, he assumes full responsibility.

In the event of an agreement on joint responsibility, the outsourcing service provider is obliged to comply with GDPR in the same way as the client commissioning the software development project. However, this also means that a legal basis must be created, as the sole consent of the client to the data processing is not sufficient. This is because the rights of the data subjects must also be taken into account by both sides, and it should also be made clear contractually who is responsible for  what.

Regardless of whether there is commissioned processing or joint responsibility for the software development project, it is important to be aware that compliance is a joint responsibility. Accordingly, you should review your expertise as well as tools and processes within the organization and make changes based on findings.

2.    IT Outsourcing: Data Processing Outside the EU

It is important to know where the outsourcing service provider, and experts who will actually work on the project, are located. If the software development company is based in the EU, collaboration is straightforward. At a time when a lot of remote work is being done, responsible parties, contractors and off-site employees can be difficult to supervise, yet appropriate data protection and data security measures must be implemented. This applies to any employee who processes or stores data, regardless of the employee’s geographic location.

If the IT service provider (the recipient of the data) is located outside the EU, specific third country transfer requirements must be met. Once this is the case, the data may also be transferred to third countries outside the EU. However, these third countries must provide a level of data protection that is deemed sufficient by the European Commission. If this is not the case, sufficient data protection guarantees are required.

Avoiding fines – What can companies do?

GDPR regulations should be taken into account during the planning phase of the project, and it will be helpful to have an experienced IT service provider aware of GDPR rules and potential risks as a partner. This is especially important in the context of fines of up to 20 million euros in the case of a serious GDPR violation.

This year, for example, the company “CAIXABANK, S.A.” were found to have violated Articles 6, 13 and 14 of the GDPR due to “transfer of personal data without consent” and had to pay a fine of a whopping 6 million euros.

Companies must take their data protection seriously and make their digital infrastructure GDPR-compliant.

By definition, the company needs effective consent from all data subjects for any kind of data transfer, storage, and processing. The entire handling of data should be discussed very carefully with professional legal advice taken. Data protection authorities are becoming increasingly strict and attentive when it comes to violations of the GDPR. To avoid mistakes in data protection even when outsourcing software development, you should only work with appropriate IT service providers with sufficient (legal) data protection expertise.

FAQ – GDPR in the context of IT outsourcing

Is the IT outsourcing company allowed to process personal data outside the EU? Is data transfer to third countries permitted?

  • All EU-based companies must comply with GDPR as soon as they make use of personal data, regardless of whether the processing of the data takes place in the EU or not.
  • As soon as the recipient of the data (the company) is outside the EU, specific requirements for third country transfers must be met first and foremost – read more in the article above.

Is there a monitoring obligation?

  • A performance monitoring regulation is recommended for IT outsourcing projects. Even if there is no monitoring obligation, it makes sense to document or monitor the software development project, especially in the event of a performance failure.

Is the IT service provider allowed to hire subcontractors?

  • The outsourcing service provider of the software development may use subcontractors in the case of contract processing as long as the client has given consent.

Is there a reporting obligation?

  • The IT outsourcing partner has a duty to document and report any data breaches that occur. It should be determined what exactly happened and how serious the effects actually are.

Is there a documentation obligation?

  • The IT outsourcing partner has a duty to document and report data breaches. It should be determined what exactly happened and how serious the effects actually are.

What happens in the event of data breaches?

  • Data breaches are incidents in which unauthorised persons can access personal data, e.g. due to errors or omissions.
  • In the event of data breaches, the IT service provider of your software project is obliged to document and report them. The contents that must be reported to a data protection authority are precisely defined by the GDPR.

Do the same rules apply to public bodies?

  • The focus on data protection is particularly high in the case of public bodies. There, not only must European GDPR be considered, but also national or regional data protection guidelines.
  • Public bodies should review the current rules on the processing of personal data with the responsible government or local government entity, authority or regulator.- Is data disclosure necessary? What data is being disclosed?
  • Any kind of information, whether employee or customer data, is usually no longer stored as hard copies but digitally within the company’s internal IT infrastructure. When an IT service provider is commissioned to develop software, their potential or direct access to this data should be assumed.

Commissioned processing – Who is responsible for compliance with GDPR?

  • Regardless of whether there is commissioned processing or joint responsibility for the software development project, it is important to be aware that compliance is a shared responsibility.

Do I have an increased risk if data is processed outside the EU?

  • As long as the IT service provider has a high standard of data protection, the presence of their staff in third countries does not usually pose an increased risk.

K&C - Creating Beautiful Technology Solutions For 20+ Years . Can We Be Your Competitive Edge?

Drop us a line to discuss your needs or next project