The Information Commissioner's Office (ICO) has published draft GDPR guidance on 'Contracts and liabilities between controllers and processors' containing practical guidance on what needs to be included in contracts between controllers and processors and why (the Guidance). It also examines the responsibilities and liabilities of both controllers and processors.
When is a contract needed?
Currently a contract between a controller and processor is used to demonstrate compliance with the seventh data protection principle (appropriate security measures) under the Data Protection Act 1998 (DPA). The GDPR goes further and sets out minimum terms that must be included whenever a processor is appointed to process personal data on behalf of the controller. The contract requirements are therefore aimed at ensuring compliance with all of the requirements of the GDPR, not just the security of personal data as is the case under the DPA.
What needs to be included in the contract?
The Guidance emphasises that organisations need to be very clear about the extent of the processing at the outset and cannot use very general or 'catch all' terms to state the parties will comply with the GDPR.
Article 28.3 of the GDPR requires the following information and terms to be included in the contract:
- the subject matter, nature and purpose and duration of the processing, the type of personal data processed and categories of data subjects concerned;
- a requirement that processing is only undertaken on the written instructions of the controller;
- ·obligations of confidentiality on the processor (and its personnel) and an obligation for the processor to implement appropriate security and technical measures to safeguard personal data;
- an obligation on the processor to assist the controller with complying with the GDPR, including but not limited to assistance with data protection impact assessments, data breach notification and implementing security measures;
- a requirement to return to the controller or delete personal data at the end of the provision of the data processing activities;
- a prohibition on the processor appointing sub-processors unless certain conditions are met for example flowing down its obligations to the controller and remaining liable to the controller for all acts and omissions of the sub-processor;
- restrictions on the transfer of personal data outside of the European Economic Area;
- a requirement to provide to the controller and the ICO evidence of compliance with the mandatory clauses.
For more details, see checklist on page 26 of the Guidance.
Whilst the GDPR permits the use of standard contractual clauses from the European Union Commission or a Supervisory Authority (such as the ICO), these standard clauses are not yet available.
Responsibilities and liabilities
Controllers: A controller is responsible for checking that its processors are competent to process personal data and can provide "sufficient guarantees" in terms of resources and expertise that it can comply with the GDPR. The controller is ultimately responsible for ensuring that personal data is processed in accordance with the GDPR and is therefore subject to its corrective measures and sanctions (such as fines and compensation payable to data subjects), regardless of its use of a processor. It may however be possible for a controller to claim back all or part of the amount of compensation from its processors, to the extent that the processor is liable for an event of non-compliance.
Processors: A processor must only act on the documented instructions of a controller. If it acts without instructions and determines the purpose and meaning of processing, it will be considered to be, and will have the same liability as, a controller under the GDPR. In addition to its contractual obligations, a processor also has the following direct responsibilities under the GDPR:
- not to use a sub-processor without the prior written authorisation of the data controller;
- to co-operate with Supervisory Authorities (such as the ICO);
- to ensure the security of its processing;
- to keep records of processing activities;
- to notify any personal data breaches to the data controller;
- to employ a data protection officer (if it meets certain criteria); and
- to appoint (in writing) a representative within the European Union if needed.
A processor can be held directly responsible for non-compliance with these obligations, and the contact terms, and can be liable to pay fines or compensation to data subjects. It may, however, be able to claim back from the controller part of the compensation paid if such non-compliance is in no way at all attributable to the processor.
Sub-processor: If the processor uses a sub-processor, the processors’ contract with the sub-processor should impose the same legal obligations the processor itself owes to the controller and the processor should not be relieved from its obligations to the controller when it uses a sub-processor. The sub-processor will therefore assume direct responsibilities and liabilities under the GDPR. In the event of a claim for compensation or an allegation of non-compliance, there are potentially three liable parties (controller, processor and sub-processor) who may be able to claim against the others for their share of liability.
What do you need to do to prepare?
The Guidance poses the question 'Is this a big change?' The answer is that it depends on what your existing data sharing contracts say about processing. In practice, several of the new contract requirements may already be included in your existing contracts. However, the GDPR contract requirements are much wider than at present and it is unlikely any data processing contracts which have not yet been remediated to include the new GDPR provisions are likely to be compliant. Organisations should check that existing data sharing contracts contain all of the required terms and if not, new data sharing contracts will need to be drafted or variations agreed to include the new provisions prior to the 25 May 2018 deadline.
As controllers are also responsible for ensuring that processors they engage can comply with the requirements of the GDPR, they should carry out compliance assessments to ensure that their processors are providing "sufficient guarantees" in accordance with the requirements of the GDPR and they should implement on-going monitoring arrangements to ensure that contractual terms are adhered to.