As erroneously believed, the software manufacturer is not the data controller according to its definition in the General Data Protection Regulation, also known as GDPR.
1. Who is the “real” owner of the data processing
This means that the software house cannot independently define the specific purposes for which the personal data are processed.
Indeed, it is the data controller (in this case the customer) who instructs the software house on the activities it have to carry out with reference to the processing of personal data. This instruction must be in writing, by signing a contract between the parties. Through this agreeement the customer appoints the software house as the “data processor”.
2. What governs the contract
The agreement between the software manufacturer and the customer should include at least the matters indicated in paragraph 3 of art. 28 of GDPR in order to demonstrate that the data processor provides “sufficient guarantees” – in particular, the nature, the duration and the purpose of the data treatment or of the assigned treatments and the categories of the data being processed, the appropriate technical and organizational measures to allow compliance with the instructions received by the data controller and, in general, with the provisions contained in the GDPR.
In fact, the data controller has to choose a data processor, which will give adequate guarantees regarding the processing of data, always considering that the software house, in its capacity of developer and owner of the software, is the one which better knows the categories of the data processed and how to activate the related security measures.
Hence, it is strategic to choose a data processor, which is suitable and which also knows how to advise the data controller with reference to the design and management of data processing.
3. What the software house can do
This is the reason why it is a good practice for software houses to communicate clearly and precisely to the customer during the negotiation and contract signing phase, which are their security measures (by way of example and not exhaustive: penetration test, strong passwords, etc.), in such a way as to enable the data controller to be able to appropriately evaluate whether the proposed security measures comply with its own risk assessment.
In concrete, a software cannot be GDPR compliant. However, the data processing can be. The task of the software houses is to develop and to produce software that give adequate security guarantees and that provide options to their customers, enabling them to develop a data processing system through the software itself that is GDPR compliant.
4. The importance of building an effective data processing model that complies with regulations
For all of the above mentioned reasons, it is therefore superfluous to point out how it is of central importance in the constitution of an effective data processing model that complies with the applicable regulations, the signing of a contract for the appointment of the data processor, which will list the responsibilities of the one and the other figure, as well as the areas of collaboration between the parties.
Although the non-signing of a contract for the designation of the data processor, would not in any case exempt the software house from the role actually played, it is a good practice to sign a contract, not only to be in compliance with mandatory rules of data protection, but also to be able to define specific ad hoc appointments that take into account the subjective relationship with the customer and the principles of accountability and above all, in order to limit and make verifiable the various responsibilities of the data controller and the data processor.