What actions to take when a Data Processor doesn't respect GDPR?

Question

We've recently exchanged emails with one of our Data Processors, because they don't grant the ability to permanently delete hosted documents (pdf, png, etc.) on their platform. Such documents might contain personal information.

In the event where an end-user would want to permanently delete such documents, we don't have the ability to do it for them (because the Provider doesn't give us any tool for doing so). Thus, we can't comply with any privacy-related request from our end-users. It also seems even the Processor cannot perform such a request in the event where we would forward the request to them. (they don't seem to have the necessary tools, either)

Therefore, we believe they don't comply with GDPR because of the Right to erasure/rectification.

The Processor doesn't recognize their responsibility on this matter, and are stating they respect GDPR regulations. Although, they haven't provided us with any meaningful reply regarding that particular matter. They're basically saying they're doing things "by the book" and sending us links to their online documentation, which do not answer the issue at hand.

At this point, we're concerned about what to do next. It feels like they won't acknowledge the issue and won't take responsibility about fixing it. We're thinking about opening an official enquiry, but we're unsure how to proceed.

Edit: The data processor is based in the US, while we are based in France (EU). We have signed a DPA with them.

Answer 1

The data processor is not responsible for complying with the GDPR. You are ultimately responsible, since you are the data controller. The data processor is merely required to assist you, but it's unclear what that means in the presented scenario.

Per Art 28(3)(e) GDPR, the DPA must require the data processor to provide reasonable assistance:

That contract or other legal act shall stipulate, in particular, that the processor: […] taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

However, per Art 28(1) you can only engage processors that you deem sufficient to protect the data subject's rights:

the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Here, it seems that your company failed to ensure that the processor provides the features you need for compliance. Many companies claim to be GDPR-compliant, but that doesn't mean that your use of their services will be GDPR-compliant as well. Depending on how the Art 28(3)(e) requirement was implemented in the DPA you may have a right to assistance even if the processor doesn't implement necessary features in their software, but enforcing this contract could require a lawsuit in a foreign jurisdiction (but that's par for the course for international B2B contracts).

It is worth noting that the GDPR right to erasure doesn't always apply. In a processing activity where no erasure right is likely to arise, it would be perfectly fine to use a data processor that doesn't offer any possibility for erasure. Similarly, it can sometimes be legal to use technologies like Blockchain or Git that make erasure difficult or impossible. However, it is the responsibility of the data controller to analyze the impact of such a choice up front, before commencing the processing activities. In some cases, this could require a Data Protection Impact Assessment (DPIA).

Note that transfers of personal data into the US are illegal or at least questionable in the wake of the 2020 Schrems II ruling. The Privacy Shield is no longer a legal basis for such transfers. Standard Contractual Clauses (SCCs) are technically allowed, but only “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” (cf Art 46). The ECJ's judgement calls this into question. This could be a further incentive to migrate to a more GDPR-compliant service.