What Translation Agencies Need to Know about Data Protection
Personal data is understood to be all information that relates to an identified or identifiable person. This may be the name or date of birth, or other information such as medical records, information about a person’s creditworthiness, or their behavior.
The current Swiss Data Protection Act also protects the data of legal persons. The EU’s General Data Protection Regulation (GDPR) and the revised Swiss Data Protection Act (DPA), which is expected to come into force in 2022, restrict protection to natural persons.
Data processing in respect of translations
Data is processed when a text is translated. If the text to be translated contains personal data, data protection law will apply and the statutory regulations must be complied with. With regard to data processing, there is often a tripartite relationship. The translator processes not only the client’s data, but may also personal data of third parties.
Where several parties carry out data processing, the law distinguishes between the controller and the processor, each of whom is subject to different obligations. The controller decides on the purpose and means, i.e. has de facto control over the processing.
Both the GDPR and the Swiss DPA allow the data controller to transfer data processing. It is generally not necessary to obtain the consent of the person whose data is being processed. In such instances, the appointed service provider acts as processor.
The controller must ensure the appointed processor complies with the law when processing the data. This must be ensured with the use of a contract as the law specifies what must be regulated in the processing contract.
In addition, the controller must ensure that the processor can maintain data security. The processor may only engage another processor with the data controller’s prior consent.
Is a translator a controller or processor?
A service provider that processes data for customers often acts as a processor. This is the case at least if the customer alone decides on the purpose and means of the processing. But there may also be situations in which the service provider becomes the data controller with respect to the personal data that it is processing on behalf of a customer.
The question as to who is the controller and who is (merely) the processor in a service relationship cannot be answered in general terms, but will depend on the specific circumstances.
If a translation provider’s customer is interested exclusively in the results of the translation and has not set any specific instructions regarding the data processing and the technical means used, the translation service provider will generally assume the role of a data controller. If, on the other hand, the appointed translator receives strict instructions for handling the supplied data, he/she will be acting more as a processor.
This division of roles is relevant in certain circumstances. For example, if the translator uses third-party services and works with CAT tools and SaaS (software as a service) technologies for editing machine translation.
As a controller, the translation provider must ensure, among other things, that the technology provider does not violate data protection regulations. As a processor, the translator may only use these tools with the client’s consent.
Also relevant here are the legal provisions on the transfer of personal data abroad. This is generally permitted without the prior consent of the data subject, provided that the relevant destination country can ensure adequate data protection. Whether this is the case must be examined on a case-by-case basis, especially if the country is outside of the EU.