Under the GDPR, when a ‘data controller’ engages a ‘data processor’, the two parties must enter in to a written contract. Article 28 of the GDPR sets out what specific terms, as a minimum, must be included in such contracts. Such terms are required to ensure that the processor complies with the GDPR when processing the personal data in possession of the controller. Article 28 is a new requirement which did not exist under the Data Protection Act 1998 (the “DPA”), meaning that controllers who are currently compliant with the DPA will not necessarily have included these provisions in their processor contracts. These contractual terms must be in place when the GDPR comes into force on 25 May 2018. Controllers and processors will therefore need to review their existing contracts and revise them as necessary and, where no contract is in place, agree its terms before May 2018. The Information Commissioner’s Office (the “ICO”) has provided draft guidance concerning this issue (see here).
How are ‘data processors’ and ‘data controllers’ defined?
A ‘data controller’ is defined as a ‘natural or legal person or organisation which determines the purposes and means of processing personal data’. For example, an employer which stores its employees’ data on a cloud-based HR software platform.
A ‘data processor’ is a ‘natural or legal person or organisation which processes personal data on behalf of the controller’. For example, the provider of the cloud-based HR platform referred to above, which processes employee data on behalf of the employer.
When is a contract needed?
Under Article 28.3 of the GDPR, a contract is needed when a controller uses a processor to process personal data, and whenever a processor employs another processor (a ‘sub-processor’). As such, the employer and the software provider must enter into a contract relating to the use of the platform referred to above. Similarly, the software provider must enter into contracts with any relevant sub-contractors (for example, a third party hosting the processor’s servers).
What are the mandatory contractual provisions?
Under the GDPR, the following details and provisions must be specified in any data processing contract:
The contract between a controller and a processor must include the following information:
- the subject matter of the processing;
- the duration of the processing;
- what processing will be done;
- the purpose of the processing;
- the type of personal data being handled;
- the categories of data subjects; and
- the obligations and rights of the data controller.
Controller’s Written Instructions
All contracts must provide that ‘the processor may only process personal data in accordance with the controller’s written instructions, unless required to do so by law’. In the event that the processor is required to disclose the data by law, the processor must inform the controller before disclosing it (unless the law prevents this for public interest reasons).
Duty of Confidence
Contracts should include a provision obligating processors to obtain a commitment of confidentiality from anyone it allows to process the personal data (unless they are already under such a duty by law). Practically speaking, this means that the processor’s employees, temporary and agency workers and subcontractors engaged to process personal data, must enter into confidentiality agreements with the processor.
The processor must be subject to the same requirements as the controller in relation to keeping personal data secure. Article 32 of the GDPR sets out the ‘appropriate technical and organisational measures’ that both the processor and controller must take, including:
- resilience of processing systems; and
- backing-up personal data.
Use of Sub-Processors
Processors must not employ sub-processors without the controller’s prior written consent, which can be given either generally or specifically. Using the example above, the provider of the cloud-based HR platform might wish to sub-contract with another party to perform the services on its behalf. Further, if a sub-processor is employed under the processor’s prior general written authorisation, the processor must inform the controller of any changes to that authorisation, and give the controller a chance to object. A processor must ensure that its contract with a sub-processor contains (at the very least) the minimum terms relating to processing of personal data required in contracts between controllers and processors. Ideally, these terms should mirror those agreed between the controller and processor, given that if the sub-processor fails to comply with the terms of the sub-contract, the processor remains liable to the controller for any loss suffered as a result of such non-compliance.
A relevant contract must include provisions obligating the processor to assist the controller in relation to a wide range of its obligations under the GDPR including, but not limited to:
- keeping personal data secure;
- notifying incidents of personal data breaches to the relevant supervisory authority; and
- notifying data subjects when there has been a personal data breach.
The processor’s duty to assist is limited, however, by ‘taking in to account the nature of processing and the information available to the processor’.
Processors must also assist controllers by providing them with access to their data and assisting controllers with their obligations to data subjects under the GDPR, for example by providing data to data subjects following a subject access request. Under the GDPR, data subjects are entitled to have their personal data rectified or erased. A corresponding responsibility must now be included within controller/ processor contracts requiring processors to assist controllers who are dealing with such requests for rectification or erasure of a subject’s personal data.
End of Contract
All personal data must be deleted or returned at the end of the contract, as decided by the controller. The typical exception applies, however, where the processor is exempt from this obligation when required to retain the data by law.
Auditing and Inspections
The processor must submit to audits and inspections carried out by the controller (or one of its agents) which a controller may carry out to ascertain whether the processor is processing its data in accordance with the terms of the contract.
What to do next?
- Identify all existing relevant contracts with a term beyond 25 May 2018 and amend them as necessary. Examples of relevant contracts might include contracts with cloud-based HR systems for storing employee details; contracts with cloud-based document sharing sites such as Dropbox; contracts with market research companies; etc.
- Ensure any new relevant contract that you are about to enter into with a term beyond 25 May 2018 is drafted in accordance with the GDPR.