The Information Commissioner's Office (ICO) has published draft GDPR guidance on 'Contracts and liabilities between controllers and processors' containing practical guidance on what needs to be included in contracts between controllers and processors and why (the Guidance). It also examines the responsibilities and liabilities of both controllers and processors.
Currently a contract between a controller and processor is used to demonstrate compliance with the seventh data protection principle (appropriate security measures) under the Data Protection Act 1998 (DPA). The GDPR goes further and sets out minimum terms that must be included whenever a processor is appointed to process personal data on behalf of the controller. The contract requirements are therefore aimed at ensuring compliance with all of the requirements of the GDPR, not just the security of personal data as is the case under the DPA.
The Guidance emphasises that organisations need to be very clear about the extent of the processing at the outset and cannot use very general or 'catch all' terms to state the parties will comply with the GDPR.
Article 28.3 of the GDPR requires the following information and terms to be included in the contract:
For more details, see checklist on page 26 of the Guidance.
Whilst the GDPR permits the use of standard contractual clauses from the European Union Commission or a Supervisory Authority (such as the ICO), these standard clauses are not yet available.
Controllers: A controller is responsible for checking that its processors are competent to process personal data and can provide "sufficient guarantees" in terms of resources and expertise that it can comply with the GDPR. The controller is ultimately responsible for ensuring that personal data is processed in accordance with the GDPR and is therefore subject to its corrective measures and sanctions (such as fines and compensation payable to data subjects), regardless of its use of a processor. It may however be possible for a controller to claim back all or part of the amount of compensation from its processors, to the extent that the processor is liable for an event of non-compliance.
Processors: A processor must only act on the documented instructions of a controller. If it acts without instructions and determines the purpose and meaning of processing, it will be considered to be, and will have the same liability as, a controller under the GDPR. In addition to its contractual obligations, a processor also has the following direct responsibilities under the GDPR:
A processor can be held directly responsible for non-compliance with these obligations, and the contact terms, and can be liable to pay fines or compensation to data subjects. It may, however, be able to claim back from the controller part of the compensation paid if such non-compliance is in no way at all attributable to the processor.
Sub-processor: If the processor uses a sub-processor, the processors’ contract with the sub-processor should impose the same legal obligations the processor itself owes to the controller and the processor should not be relieved from its obligations to the controller when it uses a sub-processor. The sub-processor will therefore assume direct responsibilities and liabilities under the GDPR. In the event of a claim for compensation or an allegation of non-compliance, there are potentially three liable parties (controller, processor and sub-processor) who may be able to claim against the others for their share of liability.
The Guidance poses the question 'Is this a big change?' The answer is that it depends on what your existing data sharing contracts say about processing. In practice, several of the new contract requirements may already be included in your existing contracts. However, the GDPR contract requirements are much wider than at present and it is unlikely any data processing contracts which have not yet been remediated to include the new GDPR provisions are likely to be compliant. Organisations should check that existing data sharing contracts contain all of the required terms and if not, new data sharing contracts will need to be drafted or variations agreed to include the new provisions prior to the 25 May 2018 deadline.
As controllers are also responsible for ensuring that processors they engage can comply with the requirements of the GDPR, they should carry out compliance assessments to ensure that their processors are providing "sufficient guarantees" in accordance with the requirements of the GDPR and they should implement on-going monitoring arrangements to ensure that contractual terms are adhered to.
Contributor: Jenai Nissim
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.