Under the GDPR, data controllers will need to ensure appropriate contracts are in place when engaging the services of data processors. The specific requirements around contracts and liabilities are set out in Article 28 of the GDPR and outlined below in a series of FAQs.
A data controller is a natural or legal person or organisation which determines the purposes and means of processing personal data.
A data processor is a natural or legal person or organisation which processes personal data on behalf of a controller.
An organisation engages a company which provides business services to administer its employee payroll function. The organisation also engages a marketing company to carry out a satisfaction survey of its existing customers. The business services company will need information about the organisation’s employees, and the marketing company will need information about its customers. Both companies will be processing the information on behalf of the organisation, and so they are both data processors. However, they will also be processing personal data about their own employees and, in respect of that personal data, they will be data controllers.
A network of town-centre CCTV cameras is operated by a local council jointly with the police. Both are involved in deciding how the CCTV system is run and what the images it captures are used for. The council and the police are joint data controllers in relation to personal data processed in operating the system.
For further information see, Information Commissioner's Office, Data controllers and data processors: what the difference is and what the governance implications are.
We will need to review existing data processing contracts and amend as necessary to make sure they contain all new requirements as outlined in 4 below.
In addition, we will need to ensure all future contracts are drafted to take account of the new requirements. The University's GDPR Working Party is currently looking at template development.
In addition, contracts must include the following GDPR terms that require the processor to:
Where we engage the services of a third party to provide a data processing operation for us, we should follow the ICO's checklist below:
Contract includes the following compulsory details:
|subject matter and duration of processing|
|nature and purpose of processing|
|type of personal data and categories of data subject|
|obligations and rights of the controller|
and compulsory terms:
|processor must only act on the written instructions of the controller (unless required by law to act without such instruction|
|processor must ensure that people processing the data are subject to a duty of confidence|
|processor must take appropriate measures to ensure the security of processing|
|processor must only engage a sub-processor with the prior consent of the data controller and a written contract|
|processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR|
|processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments|
|processor must delete or return all personal data to the controller as requested at the end of the contract|
|processor must submit to audits and inspections, provide the controller with whatever it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection laws of the EU or a member state.|
In addition, the following should also be covered:
|the contract should state that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR|
|the contract should reflect any indemnity that has been agreed|
Where we are a data processor, we will need to ensure the content outlined in 5. above is incorporated into the contract. In addition, we would need to ensure we: