Under the GDPR, both data controllers and data processors have compliance obligations and responsibilities. Processors for the first time have direct liability and may be subject to penalties and civil claims by data subjects for non-compliance with the terms of the GDPR.
It is very important that controllers and processors clearly document their respective obligations and the GDPR creates a requirement for a contract to be in place between them, setting out specific terms that processor/controller agreements must contain, as a minimum. This aims to ensure that processors only carry out processing as agreed with the controller and always in compliance with the terms of the GDPR. If the processor wishes to use a sub-processor for any part of its processing, it will also require a written contract to be in place (as well as having consent from the controller to engage such sub-processors).
Article 28(3) states that:
“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller …”
GDPR compliant contractor/processor contracts should contain, as a minimum:
- The subject matter and duration of processing;
- The nature and purpose of the processing;
- The type of personal data and categories of data subject;
- The obligations and rights of the controller;
- Requirements for the processor to:
- Only act on the written instruction of the controller;
- Ensure that people processing data are subject to a duty of confidence;;
- Take appropriate measures to ensure the security of processing;
- Only engage sub processors with the prior consent of the controller and under a written contract;
- Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- Delete or return all personal data to the controller as requested at the end of the contract (unless they are required to retain it by law); and
- Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
The requirement to have these specific terms within the contract means that the parties must be clear from the outset as to the parameters of the processing to be undertaken and very general or “catch all” contract terms must be avoided. Restricting processing to the strict terms of the contract not only clarifies each party’s obligations but means that any changes to the scope of the processing must be agreed and any new risks introduced by changes to the scope can then be assessed as necessary.
In the future, standard contractual clauses may be drafted by the EU commission or the ICO or form part of a code of conduct or certification mechanism which controllers and processors can then use as a basis for their contractual relationship. However such standards have not yet been drafted, so controllers and processors should engage legal advisors to draft appropriate agreements.
Processors should take note that on top of the processor obligations required in their written agreement as set out above, under the GDPR a processor has other direct responsibilities including keeping records of processing activities, notifying data breaches to the data controller and employing a data protection officer where appropriate.
However, despite the above potential liability of a processor, controllers should be aware that as data controller, they are ultimately responsible for ensuring that personal data is processed in accordance with the GDPR. Regardless of the processor used and contract in place, controllers may be subject to any of the corrective measures or sanctions set out in the GDPR and may be fully liable for any damage caused by non-compliant processing, unless they can prove that they were “not in any way responsible for the event giving rise to the damage”. This ensures that the data subject will always be fully compensated. The controller may then be able to claim back this compensation from the processor, to the extent that the processor is liable.
Both controllers and processors must therefore ensure that they review their current written agreements to ensure that they are GDPR compliant. Some of the provisions set out above may already be included in existing controller/processor contracts so a complete overhaul may not be required. If however all the required terms are not currently included, new contracts should be drafted and agreed or appropriate amendments made. If organisations use standard controller/processor templates, these should also be reviewed and updated accordingly. Controllers must also ensure that the processors that they are using understand their obligations and reasons for the changes within the contracts.