GDPR compliant contracts 

Under the GDPR, data controllers will need to ensure appropriate contracts are in place when engaging the services of data processors. The specific requirements around contracts and liabilities are set out in Article 28 of the GDPR and outlined below in a series of FAQs.  

1. What do we mean by data controller and data processor?

A data controller is a natural or legal person or organisation which determines the purposes and means of processing personal data.

A data processor is a natural or legal person or organisation which processes personal data on behalf of a controller. 

Examples

An organisation engages a company which provides business services to administer its employee payroll function. The organisation also engages a marketing company to carry out a satisfaction survey of its existing customers. The business services company will need information about the organisation’s employees, and the marketing company will need information about its customers. Both companies will be processing the information on behalf of the organisation, and so they are both data processors. However, they will also be processing personal data about their own employees and, in respect of that personal data, they will be data controllers.                                                                                                

A network of town-centre CCTV cameras is operated by a local council jointly with the police. Both are involved in deciding how the CCTV system is run and what the images it captures are used for. The council and the police are joint data controllers in relation to personal data processed in operating the system.                                                                         

For further information see, Information Commissioner's Office, Data controllers and data processors: what the difference is and what the governance implications are

2. What does the GDPR say about contracts?

  • Contracts must be used wherever a processor is engaged to process personal data.  
  • Contracts are important for setting out responsibilities and liabilities of both parties.
  • Contracts must contain certain content from a data protection perspective (see 4 below). 
  • Controllers are liable for processor compliance with the GDPR and must only appoint a processor who can provide 'sufficient guarantees' that GDPR requirements will be met and the rights of data subjects protected. 
  • Processors must only processor data on documented instructions of a controller. 
  • Outside the terms of the contract, processors can be held directly responsible for non-compliance with the GDPR and can be subject to administrative fines or other sanctions and made liable to pay compensation to data subjects. 

3. What do we need to do?

We will need to review existing data processing contracts and amend as necessary to make sure they contain all new requirements as outlined in 4 below. 

In addition, we will need to ensure all future contracts are drafted to take account of the new requirements. The University's GDPR Working Party is currently looking at template development. 

4. What information do we need to include in contracts?

Contracts must: 

  • outline the subject matter and duration of the processing; 
  • the nature and purpose of the processing;
  • the type of personal data and categories of personal data;
  • the obligations and rights of the controller. 

In addition, contracts must include the following GDPR terms that require the processor to:

  • only act on the written instructions of the controller;
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing; 
  • only engage sub-processors with the prior consent of the controller and under a written contract;
  • assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • assist the controller in meetings its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract;
  • subject to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state. 

Source: Information Commissioner's Office, GDPR guidance: Contracts and liabilities between controllers and processors.

 

5. Is there a checklist available for controller and processor contracts?

Where we engage the services of a third party to provide a data processing operation for us, we should follow the ICO's checklist below:

Contract includes the following compulsory details: 

Content Tick box
subject matter and duration of processing  
nature and purpose of processing  
type of personal data and categories of data subject  
obligations and rights of the controller   

and compulsory terms: 

Content Tick box
processor must only act on the written instructions of the controller (unless required by law to act without such instruction  
processor must ensure that people processing the data are subject to a duty of confidence  
processor must take appropriate measures to ensure the security of processing  
processor must only engage a sub-processor with the prior consent of the data controller and a written contract   
processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR  
processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments   
processor must delete or return all personal data to the controller as requested at the end of the contract  
processor must submit to audits and inspections, provide the controller with whatever it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection laws of the EU or a member state.  

In addition, the following should also be covered: 

the contract should state that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR
the contract should reflect any indemnity that has been agreed  

Source: Information Commissioner's Office, GDPR guidance: Contracts and liabilities between controllers and processors.

6. What about where we are the processor?

Where we are a data processor, we will need to ensure the content outlined in 5. above is incorporated into the contract. In addition, we would need to ensure we:

  • only act on the written instruction of the controller;
  • do not use the services of a sub-processor without the prior written authorisation of the controller; 
  • co-operate fully with any supervisory authority (e.g. the ICO);
  • ensure the security of data processing; 
  • notify the data controller of a personal data breach;
  • have a Data Protection Officer in place. 

 

7. Where can I get further information?

In the first instance have a look at the ICO's GDPR guidance available here. If things are still unclear, get in touch with the University's Information Governance Officer at dataprotection@york.ac.uk or by telephone on extension 3869.