DPIA

1. Appreciate your support to provide me with your advice regarding the followingAs a processor, should I perform DPIA (is it required)

Article 35 GDPR defines Data Protection Impact Assessment (DPIA) as an obligation of the controller. Among the obligation of the processor, Article 28 GDPR requires however to “inform the controller of that legal requirement before processing”. This means that if DPIA is required to the controller and the processor becomes aware of it, processor should represent to the controller that a DPIA is needed. Of course, it is an obligation to inform, so it is the controller who shall perform the DPIA and the consequences shall be on the controller.

2. If the controller is not in compliance with the GDPR and didn't share any direction with the data processor (in other words the controller didn't ask the processor to be in compliance with the GDPR). In this case will data processor be liable if any security breach occurs.

From your question I understand that the controller transferred data to the processor without giving any instruction on the basis of a commercial agreement without clauses on data processing.

In this case, the processor will be liable if any security breach occurs for data processed by the processor on behalf of the controller. In fact, article 28 GDPR requires the processor to adopt security measures in compliance with Article 32 GDPR which requires “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Therefore, if you are processing personal data on the behalf of someone else, you are liable for security. As stated in the answer to the first question, you should inform the controller about requirement and you can propose your own data processing agreement (i.e. as Google does with its clients).

Article 28 (3) GDPR requires on the processor a duty of information and supervision over the compliance with GDPR requirements of the controller. Therefore, increasing awareness on the controller on the applicability of GDPR and helping controllers to comply with GDPR requirements can be considered as a market additional value for processor and a legal requirement to avoid liability.

In fact, accepting to process personal data without questioning over the applicability of GDPR can be interpreted as a violation of the processor’s vigilance duty laid out in Article 28 GDPR in case the Regulation is applicable and a data breach occurs. Article 28 (f) states that the processor “assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;”

Of course, if the controller stated that the GDPR is not applicable and no information are available to the processor despite the requests, it could not be considered liable in case of a data breach.

3. is it required for the traffic containing PII between a company and service provider to be encrypted."

GDPR leaves up to the controller and the processor to determine the appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Of course, encryption is considered nowadays a good security measure so it is highly suggested.

Here you can find more information:

• Article 35 GDPR https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• EU GDPR controller vs. processor – What are the differences?https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• 5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
• EU GDPR document template: Data Protection Impact Assessment Methodology https://advisera.com/eugdpracademy/documentation/data-protection-impact-assessment-methodology/
• Free webinar – Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/

You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//