- Translorial - http://www.translorial.com -

Case Study: How to Ensure GDPR Compliance When Undertaking a Translation Project

By Monique Longton

Please note: This document is for informational purposes only and must not be construed as legal advice. Both the client and the translator are advised to consult with their lawyers and legal advisers before they undertake a translation project that falls under the GDPR.

Introduction

The General Data Protection Regulation [1] (the “Regulation” or “GDPR”) will be enforceable as of May 25, 2018. The Regulation aims to strengthen the rights of European Union residents with regard to their personal data.

The Regulation defines personal data as “any information relating to an identified or identifiable natural person […]; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4 of the Regulation). The Regulation confers the following rights to European residents with regard to their personal data:

The purpose of this case study is to provide an approach to managing all translation projects that fall within the scope of the Regulation. It is not intended to list all of the obligations that are imposed on data controllers and processors (as defined in the GDPR). That information can be found in the Regulation [1]. Rather, this document aims to:

This document is based on the Guide for Processors [2] published by the CNIL and on the Regulation [1]. Both the client and the translator are strongly advised to read the Regulation since failure to comply with it can result in heavy fines.

Which Translation Projects Fall Within the Scope of the GDPR?

To determine whether a translation project involves the processing of personal data covered by the Regulation, we must look at the content of the file to translate. Does it contain personal data of natural persons living in a European Union Member State? If the answer is “yes,” the Regulation is applicable regardless of where the client or the translator is based. The answer to this question is not always obvious. For example, sometimes the client has a document translated because they do not know the language. In such a case, it is best to exercise caution and take all required security measures when sending the document to the translator.

Please also note the Regulation is marked as a “text with EEA relevance.” You should therefore check the EFTA’s website [3] for the progress of its integration into the EEA Agreement by Iceland, Liechtenstein and Norway.

Examples of documents that might fall within the scope of the GDPR include:

These documents would fall under the GDPR if the persons mentioned in the document are natural persons living within the European Union and the document makes it possible to identify them.

When a translation project falls within the scope of the GDPR:

Implementing a Translation Project

GDPR flowchart [4]

The diagram (click to enlarge) provides a set of guidelines for implementing translation projects that involve the processing of personal data under the GDPR. The table in the next section summarizes the client’s and the translator’s respective responsibilities under the Regulation at each step of the translation project. A color code is used to provide an easy cross- reference between both sections.

 
 

Obligations of the Client and the Translator at Each Step of the Translation Project

Before Project Launch

Client’s Obligations

  1. Determine whether the document to translate includes an EU resident’s personal data.
  2. Determine whether processing is lawful under the GDPR (Articles 5 and 6 of the Regulation).
  3. Evaluate a pseudonymization process to hide all personal data.
  4. If the translator is based in a non-EU country, check whether that country has been determined as ensuring an adequate level of protection by the European Commission [5] or whether another “appropriate safeguard” must be in place.
  5. Carry out due diligence on the potential translator to determine whether he or she provides an adequate level of data protection (appropriate safeguards, i.e. compliance with the GDPR principles of data protection by design and by default).
  6. Agree with the translator on which encryption methods to use to send the file to translate.

Translator’s Obligations

  1. Ask the client whether the document to translate contains an EU resident’s personal data.
  2. Obtain confirmation from the client that the translation is lawful and fulfills one of the requirements of Article 6 (1) of the Regulation.
  3. Prove to the client that the translator is compliant with the principles of data protection by design and by default; the translator delivers his or her security plan (ISO/IEC 27001:2013 or NIST) and security policy (and indicates who will have access to the file to translate).
  4. Evaluate whether the translation project requires sub-contracting (e.g. reviewer, other linguist, designer, etc.) and, if so, in which country, and obtain the client’s approval.

Project Launch

Client’s and Translators’ Shared Obligations

  1. 1) Draft a service agreement between the client and the translator that includes their obligations (see section below “Mandatory Clauses in the Service Agreement Between the Client and the Translator”) or make sure the translation is governed by another legal act (see Article 28 of the GDPR).
  2. If the translator is based in a non-EU country and the European Commission has not issued an adequacy decision for that country, put in place an “appropriate safeguard” [6].
  3. Determine a procedure to follow if, after seeing the file, the translator finds that he or she does not have the knowledge to translate it.

Translator’s Obligation

Tell the client immediately if the instructions violate the Regulation. [6]

File Transfer to the Translator

Client’s Obligations

  1. Comply with the principle of data protection by design: give the translator only the data that requires translation.
  2. Transfer the file via secure means (data encryption).

Translator’s Obligations

  1. Store the file in a secure place.
  2. Confirm if the project will be handled and prepare a purchase order with all delivery terms that could not be decided when the translator had not yet seen the file.

File Translation

Client’s Obligation

Ensure that the translator follows the instructions.

Translator’s Obligation

Translate the file with the utmost confidentiality and security (physical and logical access controls, backups, traceability, encryption, pseudonymization/anonymization).

Optional: Sub-Processing (Review, Design Work, etc.)

Translator’s Obligations

  1. Ensure that sub-contractors undertake the translator’s obligations as their own (by signing a new sub-processing agreement stating the sub-contractor’s obligations under the Regulation).
  2. Securely transfer the file to the sub-contractor(s).
  3. Ensure that all sub-contractors store the file in a safe place.

Translation Delivery to the Client

Translator’s Obligation

Transfer the file via secure means (data encryption).

After Delivery

Client’s Obligation

Retain the translation according to the client’s contractual and legal requirements.

Translator’s Obligations

  1. Retain the translation according to the translator’s contractual and legal requirements.
  2. At the end of the retention period: return the data to the client or destroy the data permanently.

Other Mandatory Requirements Throughout the Translation Project

The translator must:

  1. Support the client if the EU resident identifiable/identified in the file decides to exercise his or her rights under the GDPR.
  2. Support the client to fulfill his or her own obligations.
  3. Provide all evidence that demonstrates the translator’s compliance with the GDPR and enables the client to conduct audits.
  4. Assume full responsibility toward the client if the sub-contractor does not fulfill his or her obligations.
  5. Impose a non-disclosure obligation on people who work with the translator.
  6. Notify the client of any data breach (such as a cyberattack or a loss of computers or mobile devices that contain the data).
  7. Designate a representative in the EU if the translator is not based in the EU unless Article 27 (2) of the Regulation [7] applies to the translator.

The client must:

  1. Ensure that the translator complies with the Regulation.
  2. Monitor the translation project, which includes conducting audits and inspections of the translator.

Both the client and the translator must:

  1. Maintain a register with all GDPR data processing activities (see Article 30 of the Regulation) unless they meet the derogation requirements set out in Article 30 (5) of the Regulation [8] (see the CNIL’s drafted registry templates (in French) at https://www.cnil.fr/sites/default/files/atoms/files/registre-reglement-publie.xlsx [9])
  2. Designate a data protection officer in certain cases (see Article 37 of the Regulation):
    1. if they are a public body or authority
    2. if their core activities enable them to regularly and systematically monitor individuals on a large scale
    3. if the information to be translated is sensitive data (see recital 10 of the Regulation) or relates to criminal convictions and offences

Mandatory Clauses in the Service Agreement Between the Client and the Translator

As per Article 28 of the GDPR, “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.” With this in mind, this section contains a brief overview of the mandatory clauses in the service agreement between the client and the translator if they choose to draw one up. For your convenience, please see the examples of sub-contracting clauses proposed by the CNIL in the Guide for Processors [2] until the EU standard contractual clauses are published. The following items are mandatory:

Conclusion

Complying with the General Data Protection Regulation when undertaking a translation project can be difficult due to the number of participants in the translation cycle. Compliance with the Regulation can only be ensured if all sub-contractors comply with it (all translation agency employees and/or all freelance translators and their reviewers, designers, etc.). Regardless of the number of participants, every project subject to the GDPR will require good communication between the client and their translator. Successful delivery will truly be a team effort where every participant has a role to play.

The GDPR is and will be a continuously evolving topic (e.g. adequacy decision concerning the EU-US Privacy Shield). Readers are therefore encouraged to deepen their knowledge of the Regulation. For further reading, please consider the websites of the EU countries’ supervisory authorities [10], as well as the Article 29 Working Party’s website for guidelines [11] on the Regulation.

Footnote i:

Article 46(2) of the Regulation:
“2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.”

Footnote ii:

Article 6 (1) of the Regulation:
“1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.”

Footnote iii:

Article 27 (2) of the Regulation:
“2. The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.”

Footnote iv:

Article 30 (5) of the Regulation:
“5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”