Summary: Recent reforms to EU data protection law have thrown contractual terms relating to the use of personal data into sharper focus. A particular concern is that it can often be difficult to determine confidently the roles being played by the contracting parties. Is the service provider really a processor? Or is it a controller, like the customer?
Characterising the parties correctly is likely to be critical to ensuring that a contract relating to the use of personal data is fit for purpose, should it need to be relied upon. Getting it wrong could result in a breach of the new EU data protection law (worth avoiding given the increased fines) and is likely to mean that the parties take on unnecessary obligations or are unduly restricted in the scope of their activities. So, how do you assess if a party is a controller or processor? And, does it really matter?
When are data processing terms needed in an agreement?
The relationship between the parties to an agreement involving the handling of personal data determines whether statutory data processing clauses are required or something more nuanced is acceptable.
The clearest situation in which data processing terms should be included in an agreement is where a contract is entered into between a party that is a “controller” of personal data, and a party that is acting as a “processor” (a cloud hosting arrangement, or payroll services outsourcing are typical examples). In such situations, Article 28 of the General Data Protection Regulation (“GDPR”) requires the relationship to be governed by a “contract or other legal act under Union or Member State law”. Where the GDPR builds on the previous law is that it is much more detailed in setting out what the contract must contain, with some of the most contentious areas commonly being restrictions on the engagement of sub-processors, and the reporting of personal data breaches to the customer by the service provider.
Even when there is not a controller/processor situation, if significant personal data is involved, it will usually be appropriate to include data processing terms in a contract between two parties that are each acting as “controllers”:
- If it is envisaged that personal data will shared between the parties on a large scale or on a regular basis, the Information Commissioner’s Data Sharing Code of Practice states that it is good practice to have a data sharing agreement in place. This will also assist a controller in demonstrating that it has complied with the principle of “accountability” under Article 5(2) of the GDPR.
- If the parties are “joint controllers”, meaning that they jointly make decisions about a single processing activity, Article 26 of the GDPR states that the responsibilities of the parties should be determined in a transparent manner “by way of an arrangement between them”. The use of the term “arrangement” appears to imply, in contrast with Article 28, that a contract is not the only means of complying with this requirement (although it is likely to be a convenient way of doing so).
Does it matter if a vendor is labelled a “processor” when it is not?
It can appear attractive for an organisation to contract with all vendors and service providers on the basis that they are processors; doing so may reduce the risk of not complying with the law by failing to include Article 28 clauses. But this approach might have unintended consequences. For instance, a company procuring services may unnecessarily take on the obligation to respond to data subject requests made to the vendor, or to report personal data breaches to supervisory authorities, where it should be the vendor making that difficult report directly. Similarly, a service provider that contracts on the basis that it is a processor, when actually it is a controller, will be limiting itself to processing personal data only on its customer’s instructions, and may be required to accept unworkable restrictions on its ability to engage sub-contractors or transfer out of the EEA.
How are ‘controllers’ and ‘processors’ identified?
The 'controller' and 'processor' concepts can appear simple on paper, however they are often challenging to apply in practice. A controller “determines the purposes and means” of processing, whereas a processor is able only to process personal data “on behalf of” a controller. In practice, a typical controller/processor relationship involves the delegation of a processing activity by a controller.
The Information Commissioner has published guidance on how to identify if a vendor is a controller or processor . This guidance is still current even though it predates the GDPR. The guidance identifies seven decisions which can only be taken by a party acting as a controller. These are decisions around:
- whether to collect personal data in the first place and the legal basis for doing so;
- which items of personal data to collect, ie the content of the data;
- the purpose/s for which the data is to be used;
- which individuals to collect data about;
- whether to disclose the data, and if so, who to;
- whether subject access and other individuals’ rights apply ie the application of exemptions;
- how long to retain the data or whether to make non-routine amendments to the data.
The guidance also notes, however, that a party acting as a processor may have discretion over certain technical matters relating to the provision of their service, such as the IT systems used to collect personal data, the security surrounding the data, and the means used to delete or dispose of the data. So, not all control or decision-making is necessarily in the hands of the “controller”.
A party is also likely to be acting as a controller where they are subject to a legal or regulatory obligation to process personal data for a particular purpose. Professional service firms, for example, will often receive and process large volumes of personal data on behalf of their clients. Since those firms are subject to regulatory obligations, and therefore will process the data for their own purposes, they will generally be considered to be acting as a controller.
What does this mean going forward?
As market practice around the negotiation of data processing clauses continues to evolve, service recipients will continue to be attracted by the idea of a standard approach to contracting with particular categories of vendors. This may not serve either side well, particularly where the services to be provided are complex. Taking a little time at the negotiation and engagement stage to ensure the roles are correctly characterised could avoid costly consequences in the future.