GDPR and outsourcing. FAQ

General Data Protection Regulation (“GDPR”) has come into force more than a year ago. During this year, several new guidelines were published, and European regulators began to fine more often.

In this article, we decided to give answers to the five most frequently asked questions from the outsourcing non-EU established companies.

  1. We are a non-EU established company which provides software development services to European customers. Does the GDPR apply to us?

The GDPR applies to the vast majority of non-EU organisations offering the products or services to data subjects in the European Union. However, the issue of the applicability of the GDPR to outsourcing companies is more complex.

As you have known, the concepts of ‘controller’ and ‘processor’ are established in the GDPR. The ‘controller’ is a person which decides ‘why’ and ‘how’ the personal data is being processed. The ‘processor’ means a person which processes personal data on behalf of a controller.

Under the outsourcing agreement, the European company usually acts as a customer, and non-EU company acts as a supplier. In such a case, the European company will basically act as a data controller. The Ukrainian company will act as a processor, provided that it has access or an opportunity to gain access to personal data processed by the customer.

If a Ukrainian company will use such personal data for its own purposes or independently determines the means of processing such data, it will automatically become a controller and shall be responsible for compliance with the requirements of the GDPR.

  1. How can the European regulators enforce the fines against non-EU established organisations?

Currently, there is no clear understanding of how administrative fines will be enforced in real life. Thus, many non-EU companies take the “wait and see approach” increasing risks for their businesses.

The GDPR prescribes that data processing shall be governed by a written contract concluded between a data controller and processor. The parties can conclude a special Data Processing Agreement or include data processing clauses in an outsourcing contract.

When the Data Protection Authority enforced an administrative fine against the European controller, the controller may claim back from the engaged processor the compensation in accordance with data processing agreement. In such a case, an outsourcing company can bear civil liability.

Furthermore, the GDPR compliance is an indicator of good business reputation. The violation of its requirements increases risks for your business and may cause the loss of partners and clients in the EU.

  1. We received a questionnaire regarding data processing activities from our European customer. What should we do?

It is a good practice when a data controller sends questionnaire regarding data processing practices to its suppliers. These questionnaires may be called the ‘Supplier Assessment Form’, ‘Supplier Assessment Tool’, ‘Processor Assessment Questionnaire’, etc.

The GDPR states that a controller shall engage only processors which ensure an appropriate level of personal data security. The questionnaires are intended to prove that sufficient actions have been taken by the controller to ensure that a supplier meets the requirements of the GDPR.

If your company does not comply with the GDPR, you should not file in a questionnaire with false answers. A questionnaire is a legal document that may be used by your customer in future claims.

If you receive a questionnaire from your European customer, the best option would be to consult preliminarily with a privacy lawyer, who will analyse the list of questions, your data processing activities and provide appropriate advice.

  1. Our European customer asked us to sign a Data Processing Agreement. What is the Data Processing Agreement?

As we have said previously, data processing shall be governed by a written contract concluded between a data controller and processor. The parties can conclude a special Data Processing Agreement or include data processing clauses in an outsourcing contract.

A Data Processing Agreement is a contract to be concluded between controllers, the controller and the processor, the processor and the sub-processor. It regulates the data processing activities and states the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the rights and obligations of parties.

Article 28 of the GDPR sets out provisions to be included in a Data Processing Agreement.

  1. We are a supplier in the outsourcing relationship and act as a data processor. Currently, we comply with the GDPR and want to engage other processors. What should we pay the most attention to?

It is typical for the outsourcing relationship when a supplier engages sub-contractors. If the sub-contractors have access to the personal data of clients of the European customer, they will be deemed sub-processors under the GDPR.

In such a case, your company as a data processor shall take into account the following provisions:

  • you shall not engage other processors without the prior written authorisation of your European customer;
  • you shall to entered into a contract with the sub-contractors provided that the same data protection obligations as set out in the contract between the European customer and you shall be imposed on that sub-contractor;
  • you are obligated to inform your EU customer of any intended changes concerning the addition or replacement of other sub-contractors;
  • you shall remain fully liable to the European customer for the performance of that other sub-contractor’s obligations.


One of the most important novelties of the GDPR is that it applies not only to a data controller but also to a data processor. In the context of the outsourcing relationship, suppliers usually act as processors under the GDPR. IT business should take into account these particularities in order to be GDPR compliant.

    Your question to IT lawyers