Data Controllers and Data Processors Contracts and Key Liabilities Under GDPR
This week, we’re going to take a look at contracts between data controllers and data processors, and the responsibilities and liabilities that the General Data Protection Regulation imposes. It is now just over a year since the Regulation came into force and although the past twelve months has seen the carrot approach – enabling firms to get used to the new obligations - many firms have observed a rise in informed consumers making complaints to the ICO, and therefore in investigations.
The Information Commissioner’s Office has started to take enforcement action and with a few high-profile fines under the Regulation, the supervisory authority has made it clear that breaches will be enforced. At this point, firms will have a better understanding of the Regulation in practice, as well as consumer expectations, often gleaned through complaints submitted when customer requests or processes go wrong. This summer, firms should be undertaking an audit – whether they are a controller or a processor - to ensure that they have the policies and procedures required, and that they are fit for purpose, given the experience of the past year.
The GDPR brought with it new and more wide-ranging contract obligations for controllers using third parties to process data on their behalf. The Regulation details a set of terms that must be included in the contract, and – unlike the requirements of the Data Protection Act 1998 - these are not simply confined to the processing of personal data. While the Regulation brings substantial changes, in practice many contracts drawn up under the previous legislation will likely contain most of the requirements. Regardless, the most important take away for processors is that they have distinct responsibilities and obligations and can be held directly responsible for non-compliance.
The contract obligations are set out in Article 28, and they apply whenever a controller uses a processor to process personal data, and whenever a processor uses a sub-processor to process personal data. In the case of processor and sub-processor contracts, there should be no substantive difference in the terms – the contract must offer an equivalent level of protection for the personal data as in the contract between the controller and processor. Article 28 also requires that the controller only employs those third parties that can provide guarantees to implement appropriate technical and organisational measures in a way that they can be sure the processing with meet the requirements of the Regulation.
In short, contracts must:
Give details of the processing, including the subject matter, duration, nature and purpose, and the type and categories of data subject
Set out the obligations and rights of the controller AND of the processor
Set out the standards the processor has to meet when processing personal data
Documented instructions: That the processor can process the personal data only on written instructions from the controller. This term is about ensuring that the controller retains overall control of what happens to the data. The only exception here is unless the processor is required to process the information by Union of Member State law. Even then, the processor must inform the controller that this is the case, and state the legal requirement, before the processing takes place. This clause includes the transfer of personal data to a third country or international organisation; other than direct transfers, both processors and controllers should consider where the personal data is stored electronically to ensure they don’t fall foul. The instructions themselves can be included within the contract, or in a separate document or email, as long as it is in written format and able to be saved.
Confidentiality: The contract must set out that the processor ensures that anyone processing the data has given a commitment of confidentiality, or be under a ‘statutory obligation of confidentiality’. This should cover employees, temporary workers, external consultants, etc.
Security: Processors must ensure the security of the personal data, in line with Article 32. In practice, this means using all appropriate security measures, given the data type and the nature of the processing operation. The measures can include pseudonymisation and encryption, as well as the use of secure systems, backup, and the ability to restore access in the event of an incident. Processors should also have processes for regular testing and evaluation of their security measures and putting right any errors.
Data subjects’ rights: The contract should stipulate that the processor should offer all possible assistance to the controller, in the controller’s attempts to fulfil its obligations under the GDPR to the data subjects. In other words, the processor must offer the controller access and / or assistance in responding to data subject requests to exercise their rights.
Assist with compliance: The controller has specific obligations under Articles 32-36, such as keeping personal data secure, notifying the ICO and data subjects of any data breaches, carrying out Data Protection Impact Assessments, and consulting the ICO in the event a DPIA indicates a high risk that cannot be mitigated. The contract should set out, as clearly as possible, how the processor should assist the controller to meet these obligations.
Termination provisions: The contract should set out that at the end of the agreement, the processor should either delete or return all of the personal data, at the choice of the controller. This includes all copies of the data, unless EU or Member State law specifies it should be stored. Where the processor is aware that complete deletion may not be immediately possible, it should notify the controller at the time the contract is drawn up, and the controller should be satisfied that any safeguards, e.g. deletion during the next destruction cycle, are sufficient, and in line with Article 32 requirements.
Audits: The processor should be obliged to provide the controller with all the information needed to show compliance with Article 28 and must allow and contribute to audits and inspections carried out by the controller or their auditor.
Engaging a-sub processor: The contract should specify that a processor should not use a sub-processor without the controller’s written authorisation. Although Article 28(2) appears at first glance to allow for the processor to seek a general right to choose and engage sub-processors, firms should be aware that the general authorisation clause requires the processor to inform the controller of any intended changes, meaning that in practice, processors are obliged to inform the controller, and allow them to object to the change. This should be set out clearly in the contract.
This is to ensure that controllers are able to identify sub-processors to data subjects, so that they can meet their obligation to inform the subject of how their data is being used. Article 28(4) stipulates that the same data protection obligations in the contract between the controller and the processor must be included in the contract between the processor and the sub-processor. They do not need to be worded in exactly the same way, but must offer ‘equivalent protections’. The same Article sets out that where the sub-processor fails to ensure that the processing meets the requirements of the GDPR, the initial processor will be liable to the controller for the sub-processor for the performance of its obligations.
Controllers are responsible for both their own compliance, and for ensuring the compliance of any processors it uses, meaning it will be liable if processing operations breach the GDPR but will not be liable if it can prove it was not in any way responsible for the event. Processors are liable for their own, and for any sub-processor’s compliance. A processor must process data in line with the controller’s instructions – if it does not, it will be considered a controller by the supervisory authority. Processors can be held liable for any processing breaches, and for any failure to meet the terms of the contract.