After publishing the previous article GDPR at WEDOS, you flooded us with questions about GDPR. Since some of them are quite often repeated, we have decided to answer the most frequent ones publicly.
Is it really necessary to have a processing contract for all services?
You can trust us that we really wanted to avoid processing contracts as much as possible. We have tried to explain to the OOOU how hosting services actually work. We have given several examples, including the operation of a VPS with an encrypted disk, where it is virtually impossible to access the data. However, according to the GDPR methodology of the Office of the Public Prosecutor’s Office, all hosting services are indeed covered by the new regulation, it is necessary to have a valid processing contract in writing and the hosting company must comply with all GDPR requirements. If we do not comply, we and you could be fined up to EUR 20 million or up to 4% of our total annual worldwide turnover.
From the point of view of the OOÚ, any company that stores data carriers on which personal data are or may be stored is automatically a processor.
Simply put, it doesn’t matter whether it is realistic to access personal data at all, but that it can be stored there.
All shared web hosts, VPS, remote storage (like our WEDOS disk), dedicated servers and even the cloud automatically fall under GDPR. In our case, we’ve added domains as well, because you get a free miniweb service included with each one.
Does the GDPR apply to me even if I am a natural person who is not an entrepreneur?
There are a total of four exemptions in the GDPR, defined in Article 2 “Material scope”. Unfortunately, there is no exception for non-business owners. This is only available to individuals for the sole purpose of personal or domestic activities.
So if you have the possibility to register on the website and you store personal data of users (e.g. name and surname, email, IP address, etc.), you are an administrator from the point of view of the OOOÚ and you need to have on the website Privacy Statement. Furthermore, the ÚOOÚ also recommends Cookie Statement and from us electronically signed processing contract (one click in the customer administration for a specific service in the Provider section).
Can I print your processing contract for the customer?
Yes, you can. However, it is important to note that the signed electronic version (PDF) is always the latest revision, which can be downloaded at any time from the administration.
Due to the large number of similar requests, we have added the stamp of our company and the signature of the sales director of WEDOS Internet, a.s. Josef Grill.
You do not need to send us back signed contracts. For us, we consider them closed by downloading it in the administration.
I am a processor, but your processing contract only provides for a controller?
We are not able to assess whether the site founder is the administrator or the processor, and therefore it is listed with us as the operator. In response to numerous requests, we have added a passage to the terms and conditions which provides that the operator may be another processor.
If the Customer stores (stores) any personal data with WEDOS, a Processing Agreement is concluded between WEDOS and the Customer, according to which the Customer is the controller of such personal data and WEDOS is the processor. A similar procedure is followed if the Customer is already acting as a processor of personal data for another controller. In this case, WEDOS is the further processor.
Am I at risk of penalties if I have everything in order on the site under GDPR, but I host with a company that does not or refuses to process contracts?
Yes, you can face sanctions. If you store data on third-party devices, you should have a processing agreement with your hosting company. If you do not have such a contract, you do not comply with the requirements in terms of GDPR and risk the above mentioned sanctions. It is irrelevant whether your hosting does not enter into processing contracts, does not provide processing contracts or you do not want to enter into such a contract.
With WEDOS, we really wanted to avoid any contracts and unnecessary documentation, but after many months of searching for a way, we had to make the processing contracts. We didn’t want to put our clients (and us) at risk of sanctions.
It follows from the following that the failure to conclude a processing agreement is not the responsibility of the hosting, but of the administrator, i.e. you in your capacity as the operator of the website. Therefore, it is not the hosting company that is liable for the uncompleted processing contract, but the hosting customer. The penalties in this case will not fall on the hosting, but on you as the operator. I guess that’s why some hosts don’t address the situation. If the hosting enters into a processing contract with the customer, it must behave according to this contract. And in every contract there are rights and obligations. Therefore, not all hosts enter into processing contracts.
Our automated system generates identical processing contracts for all customers, thus avoiding the complication of concluding individual processing contracts with different contents. Individual contracts would be an additional risk in the future because we might not do the right thing in individual cases.
What makes you think that every hosting has to enter into processing contracts?
For more information on the obligations of website and hosting operators, please visit the ÚOOÚ website. It clearly states:
“If the data is stored in the lessor’s database and web hosting, the lessor will be in the position of a processor with whom a contract must be concluded pursuant to Article 28(1)(a) of the Directive. 3 GDPR. The processor is also responsible for taking measures to safeguard personal data in accordance with Article 32 of the GDPR.”
“…a written contract must be concluded between the controller and the processor setting out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller. The contract must also guarantee certain circumstances of the processing, see Article 28(3) of the General Regulation.”
A glossary of the most important terms regarding GDPR can be found here.
You can find out how online shops are doing in terms of GDPR here.
The relationship between the controller and the processor can be found here.
From our point of view, we have done everything so as not to put anyone at risk of any sanctions.
Conclusion
Let’s hope that we have successfully passed GDPR and can move on to other things.