Commercial agent: responsible or owner of the data processing?
Lawyer Riccardo Berti
The figure of the agent is by no means easy to pigeonhole and has caused quite a few headaches for companies and the Garante Authority: in order to understand whether the agent is acting as data controller or data processor, it is necessary, from time to time, to verify how the relationship is (and will be) actually performed by the contractors.
Adaptation privacy of the agent therefore necessarily passes through a 'classification' of his role with respect to the company or companies he works for.
1. Owner, manager or appointee?
The position of the commercial agent from the point of view privacy has always been debated, mainly due to the fact that the agent must act in accordance with the instructions of the principal, but at the same time performs this activity with autonomy and independence, not being subject to the management and coordination power of the principal.
On the one hand, the principals had every interest in disregarding the activities and methods of the agents and therefore pushed for their qualification as autonomous data controllerson the one hand, while on the other hand the Garante has always pushed for an empowerment of principals with regard to the activities of agents.
According to the perspective endorsed by the principals, on the one hand we would have the principal, an autonomous data controller, and on the other hand we would have the agent, also an autonomous data controller, who in one way or another finds contacts for a potential contractualisation with the principal and communicates the data to the latter.
This framing is particularly advantageous for the principal because then he does not have to worry about 'how' agents retrieve data (perhaps by contacting customers who are natural persons by invasive methods and without bothering, for example, to consult the oppositions register or to check their consent to receive marketing communications), as data processing remains 'separate' between the two parties and each is responsible for what happens under his control.
However, for many years now, the Italian Privacy Guarantor has disproved this thesis, confirming that the classification of agents, except in exceptional cases, does not fall under the hypothesis of the autonomous holderbut rather in that of the external controller.
After a series of measures against various companies (especially telephone companies) that used agents for the promotion and marketing of their products and claimed not to be answerable for the actions of their agents precisely because they were 'autonomous data controllers', the Garante adopted a general provision in which it stipulated that:
"all principals [...] shall, within 60 days of the publication of this provision in the Official Journal, designate companies or third parties acting in outsourcing as data controllers".[1]
After the GDPR came into force (applicable as of 25.05.2018), the situation has not changed, as the most recent stances of the Garante on this point show us.
2. The measure of 9.7.2020 against Wind Tre.
An interesting example comes to us from the recent measure of the Garante against Wind Tre, where the Authority clarifies the classification of agents and procurers in the light of the GDPR categories.
In particular, the measure concerns the activity carried out by an agent of Wind, who, although he had been correctly classified by Wind as an external data processor (by signing an appropriate appointment and also offering training to his external employee on the subject privacy[2]), the latter had addressed directives to its proxies aimed at collecting consensus privacy decidedly 'original'. As one procurer reported, in fact:
"following the indications of the area manager Mr. ..., during each activation of sim cards, the reference operator must flag all the consents provided therein. Among other things, this operation is facilitated by a special button in the management software [...]. Only in the event that, on the occasion of the signing of the paper form printed by the system and submitted to the attention of the interested party for acceptance of acknowledgement of receipt of the information and issue of the consents, the latter should express doubts as to the consents present in the reference form, the operator shall amend them according to the indications provided directly by the interested party".
The activity carried out by the agent was clearly unlawful because privacy consent must be "expressed by an unambiguous positive act by which the data subject indicates his or her free, specific, informed and unambiguous intention to accept the processing of personal data concerning him or her"[3] and cannot be coerced or implied.
Having thus clarified the wrongfulness of Wind's agent's conduct, it remained to be understood to whom this wrongfulness was attributable.
In the present case, Wind (the data controller) claimed, defending itself, that it was not responsible for the autonomous and independent conduct of its external manager (the agent) who, despite the correct training given and the correct instructions received, had acted on his own initiative in breach of the GDPR.
However, this thesis was flatly denied by the Garante as it is clear that the agent had no interest of his own in collecting consents on behalf of Wind by forcing the will of customers.
The ruling then confirms the correct classification of the agent as externally liable, even going so far as to state that:
"this qualification in respect of the legal relationship between the parties can also be deemed to exist in the event that the party materially making contact, while remaining unknown to the data controller, in fact enters into a contractual relationship similar to that in place with directly contracted partners".
The principal/principal relationship thus exists, in fact, not only if the principal completely disregards the existence of a mandate relationship, but also if he disregards it.
Another important clarification by the Garante, contained in the measure under analysis, concerns the same procurers who had been contracted by Wind's agent. In particular, the agent, who had not classified them as data processors or in any case authorised them to carry out processing operations, on the (erroneous) assumption that they '.operate autonomously' e "each procurer is free and, therefore, autonomous in the search for parties to whom to direct business proposals".
The Garante disavowed the argument put forward by the agent and 'slapped him down', stating that the latter should have appointed the procurers as external data processors (sub-processors vis-à-vis Wind) and/or authorised processors (a category that groups together employees and similar subjects and therefore presupposes a relationship of broader direction and control on the part of the employer) depending on the case.
3. The Agent's role: owner or manager?
That being clarified, in order to assess whether, in the individual case, the agent should be classified as controller or processor, one must first understand how the relationship is (and will be) actually performed by the contracting parties. To simplify, we can identify three typical situations:
- the agent finds and manages lists of customers on its own account, provides them with information privacy as principal and then chooses to which of its principals it will propose the conclusion of the deal (at which point the 'selected' principal will provide the prospective client with its disclosure privacy together with the contract). In this case the agent will be autonomous data controller.
- the agent finds, on behalf of the principal, customers and/or works on contact lists submitted to him by the principal. In this case the agent will external controller and the principal will be the owner. The agent will not have to provide his own information, but will merely provide the client with the forms privacy prepared by the principal, except in special situations (e.g. the agent wants to manage the principal's customer data independently, where the agency mandate so permits, in order to send informative communications to customers, etc., in which case he will have to submit a second information notice to the customers, collecting consent for this processing himself). Data processing takes place under the umbrella of the principal's organisation, of which the agent is an external appendage.
- the agent not only acts on behalf of the principal, but also operates exclusively with the principal's tools, in offices made available by the principal, on the principal's computers and following the principal's instructions. In this case, for the purposes of privacythe agent becomes a subject who operates under the authority of the principal (formerly 29 GDPR), as there is no longer any reason to speak of an external controller because the agent is completely internalised in the controller's structure and cannot be distinguished, at least with regard to data processing, from any employee.
- Read also: The agency contract and the employment relationship: distinguishing criteria and evaluation parameters.
It is clear that in the majority of cases the agent will fall under (2) and that the agent will play the role of the external controller.
4. Differences in EU
On this point, it should only be noted that in other European jurisdictions the situation may vary, e.g. in a commentary on the GDPR produced in England agents are 'normally' included in the category of persons authorised to process (assumption (3)):
"The latter category of persons who are not third parties normally comprises the employees, agents and subcontractors of the controller or processor which/who process data for them under their direct authority"[4]
In the opposite direction would seem to move the German systemwith the Munich Court of Appeal, which in a 2019 judgement[5] brings the agency relationship back to the privacy to a relationship between autonomous data controllers.
The Court, in particular, when considering the principal's duty to produce to the agent a statement of account relating to the contracts concluded thanks to the agent's intermediary work, came up against the principal's objection that such data would not be susceptible of transmissionbecause such transmission could only take place with the consent of the data subject (according to the client, in this case, there is neither a legal obligation to transmit the data, nor is this sharing necessary to fulfil the contract between client and customer).
The Munich Court of Justice, in rejecting the reenactment of the principal, but accepts its premises and confirms that of transmission ("übermittlung") of the data is[6]but then states that this transmission may legitimately take place because of the agent's legitimate interest in knowing the data.
The Bavarian court's reconstruction thus starts from the assumption that there is an equal and autonomous relationship between agent and principal, without the former having to be held responsible for the latter, which is why the court resolves the exception by identifying the legitimate interest as the means of legitimising the fact that the agent knows data of third parties (clients of the principal whom he has contracted).
An Italian judge, faced with the same question, would probably have traced the legitimacy of the transfer of data back to the relationship between principal and agent, which legitimises the entrusting of data (albeit 'supervised' in its adequacy) between one subject and the other on the basis of the contract of appointment binding them.
In all likelihood, a reading such as that offered by the German court, although difficult to reconcile with the EDPB guidelines, is grounded in the agent's independence relationship, set out in Art. 1(2) of the European Directive on commercial agents (86/653/EEC) and transposed by §84 of the German Commercial Code, which reads as follows:
"A commercial agent is someone who, as an independent trader, is permanently entrusted with brokering transactions for another entrepreneur (entrepreneur) or concluding them on his behalf. Self-employed is one who is essentially free to shape his activity and determine his working time."[7]
In confirmation of this, also reading the 'interpretation guide' to the GDPR, drawn up by the Bavarian State Office for Data Protection Supervision, shows that the German legal system favours the inclusion of the commercial agent among the entities that (normally) perform the function of data controller and not that of data processor[8]giving, precisely, particular value to the role of independent operator that the latter plays in the contractual relationship.
- Read also: The natural person agent, parasubordinate work and the employment rite.
5. The agent's privacy adjustment
What must the agent do, therefore, to be in compliance from the point of view of privacy?
The fundamental document for the agent, in the physiological hypothesis (2) we have seen, becomes the appointment as external manager, formerly Article 28 GDPR, i.e. an actual contract regulating the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the data controller, the duration of the processing, etc.
This document will therefore be essential for the agent to understand what data may be entrusted to him, to whom he may communicate it, what he must do if a customer asks to exercise his rights privacywhat to do in the event of a data breach (e.g. the agent loses the laptop on which he kept the principal's customer data), etc.
Three things are particularly important in the nomination:
- what happens to the data processed on behalf of the client at the end of the contract of appointment, i.e. whether they are to be returned, destroyed or retained (clearly, the agent may still retain the data if he needs it to be able to prove his performance and get paid, for instance);
- whether the agent may appoint sub-responsible and the procedures to be adopted in the case. Some appointments provide for the possibility of appointing sub-agents only with the prior consent of the principal, while others leave more freedom to the agent, some, however, require the agent to inform the principal of the sub-agents it employs to process its data. And it must be borne in mind that sub-agents are not only the sub-agents, but all the suppliers that process the principal's customer data (for instance, and trivially, if I store data on Google Drive, it is Google that is my sub-processor, and if the appointment provides for the prior consent of the principal for the appointment of the sub-processor, I will have to ask the principal whether I may use Google to store his data for instance);
- i audit fees of the owner, who, depending on the case, might prescribe simple card audits (questionnaires on the agent's level of compliance) or even more invasive inspections at the agent's offices (who in some cases, perhaps if he is a multi-firm agent, will have to consider whether to reject such a clause because it might conflict with previous commitments privacy taken with other principals).
If the appointment is missingit is appropriate for the agent to confront the principal on the point and, in the event of inertia on the part of the principal, to take the initiative himself, submitting to the principal a so-called 'self-appointment' as external manager so as to effectively regulate the relationship between the parties.
The agent should then keep a register of treatments, formerly Article 30 GDPR (mandatory document only for companies with more than 250 employees or which carry out data processing involving risks or which involve data belonging to special categories, but always highly recommended because it also allows the agent to identify and monitor the data streams of his professional activity).
In addition to this treatment register (highly recommended) will then go (this time compulsorily) kept a register of the processing operations of the responsible person. This particular register of processing operations must be completed for each principal who appoints the agent as external manager. Usually in the individual appointments there are references to this register and any requests by the principal on its keeping.
On the website of the Garante privacy is present, at this pageboth a model register of processing operations and a model register of the controller's processing operations.
6. B2C and B2B
It should also be borne in mind that even if this appointment is certainly more pressing when the agent has to contact natural persons on behalf of the principal, it is not a formality that can be excluded even when the agent only deals with B2B and has to contact predominantly companies on behalf of the principal.
Even in this case, in fact, the agent may process data of individual persons within the client companies (also, trivially, name, telephone number, email, etc.), i.e. data of sole proprietors or professionals that are to all intents and purposes personal data, and it is therefore necessary in any case to formalise for the purposes of privacy the relationship with the principal.
7. The
Having clarified the relationship with the principal, which is generally regulated in the contract of appointment, it is appropriate for the agent to produce its own disclosures.
Normally, the agent will not have to produce disclosures to the customers it contacts on behalf of the principal (at most, it will have to provide the principal's disclosures in accordance with the appointment), but this does not detract from the fact that the agent still needs a disclosure.
For instance, the agent will process the data of the principal, its suppliers, consultants, employees, sub-agents, etc.
All such data processing the agent does not do 'on behalf' of a principal, but does so independently, and it will be necessary to submit to the various parties with whom he comes into contact on his own account a notice on how he will process the data of these parties.
The information, which generally does not entail a request for consent privacy insofar as it is intended only for the management of the contract between the parties, it must nevertheless be provided in order to document that the data subject has been informed of how the agent will deal with his or her personal data. The proof of having submitted the information to the data subject (a signature on the form, the email with which the information was sent, the flag on the agent's website) must be maintained for as long as the data are held.
The disclosure must be drafted sensibly, without uncritically relying on online forms (think for instance of the external Google manager for the corporate cloud, Google except for certain contracts involves a transfer of data to the USA, to choose a basic information notice in which it is written that data will under no circumstances be transferred outside the European Union is already an easily detectable error in the event of an audit).
8. Appointments, authorisations, etc.
In addition to these basic documents and arrangements, the architecture privacy of the agent grows as the structure grows. Sub-agents should be appointed as external managers, as should the labour consultant, the party providing the corporate cloud (in which case it will be more a matter of finding the self-appointment that these large companies almost always prepare but sometimes struggle to find) as well as all those partners who are not in a position of subordination to the agent and who in providing their services process data on behalf of of the agent (except in special cases such as a partner with a particular professional qualification, e.g. a lawyer or an accountant, who remain autonomous data controllers even if they process data on behalf of the agent).
Employees (and their associates) will have to be given more detailed instructions on how to process both paper and computer data, regulating their access to company systems and devices, and will have to be adequately trained.
The website should be adapted with privacy and cookie policy and as the structure grows in importance, it will be appropriate to adopt policies defining how to handle data breaches in a coordinated manner, how to respond to access requests, how to manage software and IT tools, etc.
9. Adaptation as a work in progress
European legislation requires a 360 degree approach to the phenomenon privacychecking for each business activity whether it may involve personal data and how these are positioned in the structure privacy corporate.
Adaptation must then always be considered a work in progress as what is adequate at one time may become obsolete later. Our data increasingly travel on computer systems and networks that evolve at a rapid pace, if until yesterday the security standards of a laptop with Windows 7 were adequate today this is no longer the case, if until last year training to avoid attacks ransomware included a number of examples now the attackers no longer use any of those methods and have invented new, more devious ones.
As bureaucratic and documentary as it may appear, the approach described in these lines is only intended to create procedures to make it easier for the agent to make substantial adjustments, so that he or she can look with an organised set-up at what really matters, i.e. to avoid personal data processing done lightly and therefore very risky, think about the computer protection of the systems on which the agent works (encrypting a portable device today is really trivial and free of charge and can be life-changing in the event of loss of the device), and adapt data protection over time to the changing corporate set-up and to regulatory and technological developments.
[1] Ownership of the processing of personal data by persons using agents for promotional activities - 15 June 2011, Published in the Official Gazette No. 153 of 4 July 2011, Register of Measures, No. 230 of 15 June 2011.
[2] The written form for the appointment of an external controller is not a mere prudential suggestion, but a real regulatory obligation, provided for in Article 29(9) GDPR (note, in the language of the GDPR 'written form' does not only mean paper form, on the contrary, the European legislation encourages the digitisation of privacy documentation).
On the other hand, as regards the training obligation, the legislation prescribes that the person in charge may process data on the documented instruction of the owner, so in a 'simple' agency relationship, mere instructions to the agent may suffice, whereas in the case of Wind, which offers agents the use of its own management software, it is clear that this instruction obligation is in fact transformed into an obligation to train external collaborators, to ensure that they use the tools that the company makes available to them safely and with awareness.
[3] Recital 32 EU Reg. 679/2016 (GDPR)
[4] The EU General Data Protection Regulation (GDPR): A Commentary' C. Kuner, L. A. Bygrave, C. Docksey, L. Drechsler. Oxford University Press (2020).
[5] Case 7 U 4012/17 of 31.07.2019
[6] According to Art. 4 point 2) GDPR, transmission is a form of communication of data, which in turn, according to Art. 14 para. 3 lit. c) GDPR, is an activity involving two or more data controllers (whereas data controllers and authorised persons are not communicated/transmitted data, but rather they carry out data processing on behalf of the data controller, whereas the outsider is, in fact, a single entity).
[7] §. 84 HGB "Handelsvertreter ist, wer als selbständiger Gewerbetreibender ständig damit betraut ist, für einen anderen Unternehmer (Unternehmer) Geschäfte zu vermitteln oder in dessen Namen abzuschließen. Selbständig ist, wer im wesentlichen frei seine Tätigkeit gestalten und seine Arbeitszeit bestimmen kann".
[8] Auslegungshilfe | Bayerisches Landesamt für Datenschutzaufsicht.
