The finalized EDPB Guidelines on the concepts of controller and processor (07/2020) in the GDPR were published this week. The Guidelines helpfully set out the EDPB’s recommendations on what should be included in data processing contracts between controllers and processors, in order to ensure compliance with Article 28 GDPR. We have set out some key highlights of the Guidelines below.
Do not merely restate provisions of Article 28 GDPR
The Guidelines warn that a data processing contract should not merely restate the provisions of Article 28 GDPR. Instead, it should include specific, concrete information as to how the requirements in Article 28 will be met. In particular, the contract should include specific details of the security measures that the processor must put in place to safeguard the data, and set out the terms under which the processor may transfer data to a third country.
However, the EDPB acknowledges that the contract between the parties should be drafted in light of the specific data processing activity and its risk profile. This means there is no need to impose stringent protections and procedures, where a processor is entrusted with a processing activity from which only minor risks arise, as long as all the elements of Article 28(3) are covered by the contract.
Processing contract must be in writing
Article 28(9) GDPR requires the data processing contract to be in writing, including in electronic form. To avoid any difficulties in demonstrating that the contract is actually in force, the EDPB recommends that the necessary signatures are included in the contract.
A written contract containing the obligations set out in Article 28(3) GDPR may be embedded in a broader contract, such as a service level agreement. However, in order to facilitate the demonstration of compliance with the GDPR, the EDPB recommends that the elements of the contract that seek to give effect to Article 28 GDPR be clearly identified together in one place (for example in an Annex).
In order to comply with the duty to enter into a contract, the controller and the processor may choose to negotiate their own contract including all the compulsory elements under Articles 28(3) and 28(4) or rely on the Article 28 Standard Contractual Clauses (SCCs) published by the European Commission, which came into force on 27 June 2021. The EDPB has said that the latter are not necessarily to be preferred. However, in some situations a controller or a processor may be in a weaker negotiation position and, in this scenario, the EDPB suggests that reliance on the EU Commission’s SCCs may contribute to rebalancing the negotiating positions and ensure that the contract complies with the GDPR.
The Guidelines make it clear that any proposed modification of a data processing agreement by a processor must be directly notified to and approved by the controller. Unilateral variation through publication of the revised terms on the processor’s website will not be compliant with Article 28.
What constitutes ‘Sufficient Guarantees’?
Pursuant to Article 28(1) GDPR, a controller has the duty to use “only processors providing sufficient guarantees to implement appropriate technical and organisational measures”, so that processing meets the requirements of the GDPR (including for the security of processing), and ensures the protection of data subject rights.
The controller’s assessment of whether the guarantees provided by the processor are sufficient needs to be made on a case-by-case basis, taking into account the nature, scope, context and purposes of processing as well as the risks for data subjects. In assessing the sufficiency of the guarantees provided by the processor, the controller can also take into account: the processor’s expert knowledge (e.g. technical expertise with regard to security measures and data breaches); the processor’s reliability; the processor’s resources, and the processor’s reputation.
The obligation to use only processors “providing sufficient guarantees” contained in Article 28(1) GDPR is a continuous obligation, so the controller is expected to verify the processor’s guarantees at appropriate intervals, which can be done, for example, through audits and inspections.
Obligation for processor to only process on the documented instructions of the controller
Article 28(3)(a) GDPR requires the contract to stipulate that the processor shall only process personal data on documented instructions from the controller. The Guidelines suggest that the controller’s instructions should be documented in an annex to the contract, or in another written form such as an email, and that the instructions are kept together with the contract.
The processor’s obligation to process data in line with the controller’s instructions also applies in respect of transfers of personal data to a third country. The EDPB states that the contract should specify, in particular, the requirements that processors have to meet in order to transfer data third countries or international organisations, taking into account the provisions of Chapter V of the GDPR. The EDPB recommends that controllers pay due attention to this specific point, because if the instructions by the controller do not allow for transfers to third countries, the processor will not be allowed to assign the processing to a sub-processor in a third country.
Obligation for processor to implement appropriate security measures
Article 28(3)(c) GDPR requires the contract to include a provision requiring the processor to implement appropriate security measures. Whilst this obligation is already imposed directly on the processor under Article 32 GDPR, it still needs to be reflected in the contract concerning the processing activities entrusted by the controller.
The Guidelines make it clear that it is not sufficient to repeat the security requirements set out in Article 32. Instead, the contract should set out the specific security measures the processor has put in place, as this will enable the controller to assess the appropriateness of those measures. In addition, the description is necessary to enable the controller to comply with its accountability duty under Article 5(2) and Article 24 GDPR.
Use of Sub-Processors
The contract must also set out the obligations of the processor in regard to its use of sub-processors. Article 28(3)(d) GDPR requires the processor to respect the conditions referred to in Article 28(2) and 28(4) for engaging a sub-processor. In particular, the agreement must specify that the processor may not engage another processor without the controller’s prior specific or general written authorisation. In both scenarios, the EDPB recommends that the contract includes details as to the timeframe for the controller’s approval or objection.
The main difference between the specific authorisation and the general written authorisation scenarios lies in the meaning given to the controller’s silence. In the case of specific authorization, the controller’s written consent is required before a particular sub-processor is appointed. Whilst in the case of general written authorisation, the controller’s failure to object within a set timeframe can be interpreted as authorisation.
The EDPB state that in order for a controller to make the assessment and the decision as to whether to authorise the appointment of the sub-processor, the processor should be required to provide the controller with a list of intended sub-processors (including information such as their locations, the services they will provide and proof of what safeguards they have implemented). The controller should make its decision to grant or withhold authorisation taking into account its obligation to only use processors providing “sufficient guarantees.”
The EDPB suggest that the controller may include criteria to guide the processor’s choice of a sub-processor (e.g. guarantees expected from the sub-processor in terms of technical and organisational measures, and the expert knowledge, reliability and resources of the sub-processor). Regardless of the criteria suggested by the controller to choose the processor, the processor will remain fully liable to the controller for the performance of the sub-processors’ obligations. This is clearly set out in Article 28(4) GDPR. Therefore, the processor should ensure it proposes sub-processors providing sufficient guarantees.
When the processor engages another processor, a contract must be put in place between them, imposing the same data protection obligations as those imposed on the original processor. In cases where the controller decides to accept certain sub-processors at the time of the signature of the contract, a list of approved sub-processors should be included in the contract or an annex thereto. The list should then be kept up to date, in accordance with the general or specific authorisation given by the controller.
In addition, the EDPB recommend that the contract should include details as to the practical steps to be taken if the controller objects to the appointment of a processor (e.g. by specifying the time-frame within which the controller and processor should decide whether the processing should be terminated).
Data Breach Notification
Article 28(3)(f) requires the contract to include an obligation for the processor to assist the controller with ensuring compliance with its obligations under Article 32 to 36 GDPR (which includes the controller’s obligation to report data breaches to the Data Protection Commission (DPC) and data subjects). The contract usually requires processors to notify the controller “without undue delay” after becoming aware of a data breach, which is in line with the processor’s statutory obligation under Article 33(2) GDPR. However, the EDPB recommend that the contract includes a specific time-frame for the processor to notify the controller of a breach, such as a particular number of hours. The EDPB also recommend that the contract stipulates the minimum content of the processor’s notification.
Whilst a contract between the controller and processor may include an authorisation and requirement for the processor to directly notify a data breach to the DPC or a data subject, the EDPB highlights that the ultimate legal responsibility for the notification remains with the controller under the GDPR.
Audits / Inspections
Article 28(3)(h) GDPR requires the contract to provide that the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
The EDPB note that the contract should include details on how often and how the flow of information between the processor and the controller should take place, so that the controller is fully informed as to the details of the processing that are relevant to demonstrate compliance with the obligations laid down in Article 28 GDPR.
The processor should provide all information on how the processing activity will be carried out on behalf of the controller. Such information should include, inter alia, data location, transfers of data, who has access to data, who are the recipients of the data, and which sub-processors are used, etc. The EDPB state that the goal of an audit is ensuring that the controller has all information concerning the processing activity performed on its behalf and the guarantees provided by the processor.
In regard to audits, the EDPB assert that the processor may suggest the choice of a specific auditor, but the final decision has to be left to the controller in line with Article 28(3)(h) GDPR. Additionally, even if the inspection is performed by an auditor proposed by the processor, the controller retains the right to contest the scope, methodology and result of the inspection.
Following the results of the inspection, the controller should be able to request the processor to take subsequent measures (e.g. to remedy shortcomings and gaps identified). Likewise, the EDPB state that specific procedures should be established regarding the processor’s and the controller’s inspection of sub-processors. In practice service providers often push back on securing audit rights for their controllers in contracts with their subcontractors.
The allocation of costs between a controller and a processor concerning audits is not covered by the GDPR and is subject to commercial considerations. However, the EDPB warns parties against inserting contractual clauses envisaging the payment of costs or fees that would be disproportionate or excessive. This is because Article 28(3)(h) requires the contract to include an obligation for the processor to make available all information necessary to the controller, and an obligation to allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. If the costs of an audit were excessive, then it would have a dissuasive effect on the controller conducting one, which would be contrary to the objective of Article 28(3)(h) GDPR.
Termination for instructions infringing data protection law
According to Article 28(3) GDPR, the processor must immediately inform the controller, if in its opinion, an instruction infringes GDPR, EU or national data protection law. The EDPB recommends that the parties negotiate and agree in the contract the consequences of a notification by the processor of an infringing instruction. One example would be to insert a clause permitting the processor to terminate the contract if the controller persists with an unlawful instruction. Another example would be a clause enabling the processor to suspend the implementation of the affected instruction until the controller confirms, amends or withdraws its instruction.
The Guidelines provide welcome clarity in respect of the EDPB’s expectations concerning the requirements of data processing agreements. It would be prudent for companies to review their precedent data processing contracts in light of the Guidelines, and determine whether any amendments are required going forward to ensure compliance with Article 28 GDPR. The Guidelines are very clear that data processing contracts should not simply restate the provisions of Article 28 GDPR, but rather should be tailored for the particular processing activity and its risk profile.