In this briefing we seek to provide guidance as regards the work which may need to be undertaken in respect of privacy notices and contracts in order to achieve compliance with the requirements of the GDPR.
Transparency is one of the core principles of fair processing in Article 5 of the GDPR.
The Data Protection Act requires transparent processing information to be given to the data subject in order for the processing of personal data to be fair. The GDPR provisions focus on ensuring privacy information is understandable and accessible with a view to empowering individuals.
Article 13(1) and (2) sets out the data subjects are to be provided with the following information when personal data is collected from them. This includes:
- The contact details of the Data Protection Officer, if applicable
- The purpose of processing together with the legal basis for processing
- The period for which personal data will be stored
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing as well as the right to portability
- Where processing is based upon consent, the right to withdraw that consent
- Right to lodge a complaint with the supervisory authority
- Existence of any automated decision making or profiling
There is also still discretion for controllers to determine that a layered approach might be best method of conveying the requisite information. The ICO has advised breaking service users into categories and devising separate notices for each to ensure they are appropriate for their respective levels of comprehension. Article 12(7) allows for the use of standardised icons alongside text. The Information Commissioner’s Office has generated a privacy notice checklist and guidance on good and bad practice which may be of use.
As the purpose for which data is held will change over time, it will be important for organisations to reflect the life cycle of subjects’ personal data in their privacy notices by citing the various conditions relied upon at each stage of the relationship.
The requirement for controllers to provide privacy notices to data subjects where their personal data is obtained from a third party are set out in Article 14.
As currently drafted, the Data Protection Bill (DPB) exempts certain processing from the requirements of Articles 13 and 14. However the final form of any such exemptions remains a matter for speculation as the DPB has not concluded its passage through parliament.
Contracts with processors
Article 28(1) GDPR states that controllers shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject.
In practice, this means controllers seeking appropriate assurances from processors as to their ability to achieve and maintain compliance with the regulation now so there are few if any surprises come next May. ‘Processor’ has a broad meaning and so this provision should have wide ranging effect.
Article 28(3) GDPR requires controllers to include specific provisions in contracts which involve the passing of personal data to another party acting as a processor. The contract shall stipulate that the processor shall:
- Process personal data only on documented instructions from the controller
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Take all measures required under Article 32, which requires controllers and processors to implement technical and organisational measures to ensure a level of security appropriate to risk
- Respect conditions for engaging another processor (set out in Art 28(2) and (4))
- Assist the controller by appropriate technical and organisational measures; in so far as possible, for the fulfilment of the controllers obligations to respond to requests for exercising the data subjects’ rights
- Assist the controller in ensuring compliance with Art 32 – 36
- At the choice of the controller, delete or return the personal data after the end of the provision of service relating to processing, and delete copies unless member state law requires storage.
- Make available to the controller all information necessary to demonstrate compliance… and allow for and contribute to audits
Relevant provisions will need to be included in all contracts which will be in force after 25 May 2018. Current contracts which contain provisions drafted to reflect the DPA and the existing Privacy and Electronic Communications Regulation (PECR) obligations will need to be amended to reflect these developments.
It is hoped that the above guidance is helpful in highlighting areas where arrangements and responsibilities will need to be clarified with those outside the organisation. Should you have queries in relation to the above our Healthcare and Corporate teams would be happy to assist.