Coffee with a shot of transparency - Data protection aspects when tracing manufacturing conditions

Data protection aspects of tracing manufacturing conditions

What does the GDPR have to do with coffee pickers in Ethiopia?^[1] At first glance, nothing. But if providers use their data to trace manufacturing conditions, European data protection law may apply.

For both customers and companies the issue of sustainability, especially aspects such as fair production and regionality, is playing an increasingly important role. Ensuring the sustainability of products can not only be a competitive advantage, but also helps companies meet legal obligations. In various countries, monitoring and reporting obligations already apply to companies along global supply chains. Germany is about to enact corresponding regulations.  

Cultivation: Data-driven solutions for checking manufacturing conditions

In order to be able to identify and track environmental or human rights violations and working conditions from production to marketing - and thus comply with legal requirements - one thing above all must be done: take a closer look. Companies could use data-based solutions to do this.

Data-driven solutions for tracking goods on the supply chainhave been around for some time. However, the first providers are going a step further and offering (possibly additional) information on the manufacturing conditions of the goods. The process is similar for many of these providers. They combine and check data from several sources to find out by whom, where and how a product was manufactured. Numerous fields of application are conceivable here - depending on the available data, e.g:

• By inspecting official reporting documents on the employees of a factory and evaluating the recordings from the video surveillance installed there, conclusions can be drawn about how many people from which age groups work there. This makes it possible to check whether the reality matches the official documentation and whether local labour protection laws are being observed.
• In fishing, GPS data can be used to determine the actual catch location in order to find out whether the catch - as officially stated - took place in legal fishing areas.

Isolated providers take an even more thorough approach and have the findings confirmed by workers (e.g. via a questionnaire in an app).

The implementation of such audits by private providers is particularly suitable in emerging and developing countries, where the state infrastructure to effectively enforce legal standards is partly lacking. Data-based solutions could close this structural deficiency on a small scale.  

Harvest: Check against personal data

The tracing providers usually process personal data (e.g. reporting documents, interviews, video recordings) during the examination.

Depending on the type of tracing solution offered, the personal reference of the data is recognisable to the respective company. If an audit report is provided, it may be possible to establish a connection to individual farmers and their daily working lives from the report (e.g. on harvesting by micro-farmers) with the help of the company’s own delivery documents.

Such a connection does not have to be obvious at first glance. Even an assigned tracing number, which can be used to track a single worker unknown to the company during harvesting, could be personal data. The decisive factor is whether the company (e.g. with the help of the tracing provider) can identify the data subject. This must always be determined on the basis of the individual case (type of solution, relationship between provider and user).  

Preparation: Applicability of the GDPR  

If personal data is processed, the question of the applicability of the GDPR arises. The idea that, for example, a factory worker in an emerging country is protected by European law may be surprising at first glance. However, the rules on the scope of application of the GDPR can lead to the applicability of European data protection standards even if the factory worker himself has no relations with the EU.

The applicability of the GDPR must be determined separately for tracing providers and their clients.  

Processing: Distribution of responsibilities under data protection law

Only the specific tracing solution can provide information about the legal relationship between the tracing provider and the client company in data processing. The classification is important because it has an impact on the legality check and, depending on the relationship, the conclusion of data protection agreements is necessary.

For the most part, the companies that initiate the audit will be considered data controllers within the meaning of the GDPR and will mainly bear the compliance burden. This is supported by the fact that they make the essential decision about the purpose of the processing by initiating the audit of specific manufacturers. The tracing provider is then likely to act as an instruction-bound processor.

However, this distribution of roles can be different in individual cases. If both tracing providers and companies each pursue their own purposes in tracing (e.g. distribution of test results to several clients on the one hand and fulfilment of legal reporting obligations on the other), this would argue for individual or even joint responsibility of the parties involved.  

Brewing: GDPR obligations

Both data controllers and processors have their own obligations when the GDPR applies. These include information obligations vis-à-vis data subjects, documentation obligations, the obligation to take appropriate technical and organisational protection measures, including those to safeguard any third-country transfers.

The controller must also ensure that there is an effective legal basis for the data processing. Depending on the specific design of a supply chain law, data processing could be necessary, for example, for the fulfilment of relevant legal monitoring and reporting obligations. Overall, tracing solutions can be a great help for companies to comply with their legal obligations.

Before putting such a solution into operation, it should be checked whether and how a data protection-compliant use is possible.

[1] Ethiopia is considered the country of origin of the coffee plant and is still one of the most important coffee-growing countries today. However, the largest coffee exporting countries today are Brazil, Vietnam and Colombia. Source: United States Department of Agriculture Foreign Agricultural Service, Coffee: World Markets and Trade, 2019/20 Forecast Overview.