Responsibility under the GDPR: what is the role of a lawyer?
The General Data Protection Regulation (GDPR), presents various concepts that are used to qualify the actors involved in the processing of personal data. Such concepts include controllers (joint or separate), processors and persons acting under the authority of the controller/processor.
Although they play a fundamental role in managing responsibilities under the GDPR, the qualifications are often difficult to distinguish. Because of this, the support of a data protection expert is essential to avoid compliance problems that could arise following a wrong qualification.
At CRANIUM, through our experience in helping companies across various sectors implement GDPR rules, it has become clear that the qualification of these different actors can be an issue, particularly in law firms. Indeed, the independent status of the lawyer function raises doubts on the legal qualifications to adopt.
Who is behind these concepts?
The data controller decides the essential elements of the data processing; in other words, this person determines the purpose and means of treatment: the why and how. As such, it acts as the data controller. While the controller can be a natural person, most of the time it is a legal entity. When several actors jointly act as controllers, they are called joint controllers.
A data processor, on the other hand, processes the personal data on behalf of the controller. The processor is usually a distinct entity acting on behalf of the former and according to their instructions. In some cases, the data controller can act as a processor for another company.
If the controller uses its own resources (like software and marketing tools) within his or her organization, there is no processor. Employees or temporary staff are then qualified to act under the authority of the controller under Article 29 of the GDPR.
How to qualify the members of a law firm?
The different members of a law firm may have different roles depending on the specific processing operation, often requiring a case-by-case analysis.
The data controllers
When a lawyer represents a client in litigation and manages a case, questions may arise as to whether the lawyer is acting as a data controller or as a data processor linked to the case. The EDPB (following the Article 29 Working Party) has treated this issue in its Guidelines 07/2020 on the concepts of controller and processor in the GDPR:
“The reasons for processing the personal data is the law firm’s mandate to represent the client in court. This mandate however is not specifically targeted to personal data processing. The law firm acts with a significant degree of independence, for example in deciding what information to use and how to use it, and there are no instructions from the client company regarding the personal data processing. The processing that the law firm carries out in order to fulfill the task as legal representative for the company is therefore linked to the functional role of the law firm so that it is to be regarded as controller for this processing.”
Therefore, the law firm, in its client relations, must be considered as the controller of the personal data.
In reality, a law firm brings together several lawyers who act separately and have independent status. Are we, therefore, dealing with a single or several controllers?
When a law firm uses software that centralizes the lawyers’ accounts, the firm will be responsible for the processing of the personal data contained in the software. In this case, the law firm decides on the access, categorization, and length of time the files are kept.
At the same time, each lawyer manages his or her accounts autonomously, making them controllers when they process personal data in the context of preparing a defense file or drafting a procedural document. As for lawyers working under the instruction of a head of department, the qualification as a controller can be argued depending on how much latitude the lawyer has in managing the cases in which they are involved.
A law firm almost always uses subcontractors, for instance when using management software for legal professionals.
However, the question arises as to whether a lawyer can be a processor within the meaning of the GDPR. The independence of the legal profession (Article 444 of the Judicial Code) makes it exceptional for a lawyer to be considered a processor.
For example, a lawyer may be considered as such when he is given a file to plead by a colleague, on the strict condition that he remains within the framework of the instructions given by this colleague.
In 2011, the CNIL also considered that a lawyer who intervenes in an audit based on instructions strictly defined by his clients could be considered a processor.
Persons acting under the authority of the controller
There is little doubt that a secretary or legal assistant is qualified as such, since they process personal data under an employment contract, within the entity of the controller, i.e. the law firm, and under its authority. These employees are therefore qualified as persons acting under the authority of the controller.
The case-by-case analysis
One case that raises many questions is the qualification of the role of the trainee lawyer. Is it that of a separate controller, of a processor who follows the instructions of his controller or that of a person acting under the authority of the controller?
Although formally subject to the obligation of independence, like any lawyer, the reality for trainees is often different. Once again, the qualification depends on the case. Some trainees act with more freedom than others in their daily activities, while being supervised more or less closely.
Therefore, in order to determine the roles, it is important to analyze the facts, i.e. which actor defines the purpose and means of the treatment. It is possible for the same actor to have several roles, depending on the processing activity that person carries out.
The existence of contractual clauses is not in itself decisive in qualifying the roles of the parties. However, such clauses may help to identify the controller, provided that the contract accurately reflects the reality on the ground.
What are the consequences of assigning certain roles?
The assignment of roles determines the responsibilities of each party in complying with the regulation, as well as how data subjects can exercise their rights. Indeed, the data controller and data processor do not have the same obligations under the GDPR.
Moreover, any processing of personal data by a processor must be governed by a contract or other legal act drawn up in writing and including the elements listed in Article 28 of the GDPR. According to Article 29 of the GDPR, persons acting under the authority of the controller or processor must also follow the instructions of the controller or processor, however there is no requirement for the relationship to be formalised by a specific contract.
How can CRANIUM help you?
CRANIUM can advise you on making your law firm GDPR compliant, on the qualification of the members of your law firm or on the consequences of this qualification.
Don’t hesitate to contact us with any questions or to find out more about our services.