Getting prepared for the EU General Data Protection Regulation – review you data processor contracts
The GDPR has a major impact on the responsibilities of both data controllers and their data processors – the definition of the relationship between them will change and processors will need to step-up accordingly.
Current law requires written contracts between controllers and processors, but under the GDPR more detailed contracts will need to be in place to cover additional requirements.
If your organisation is a data controller, you should have reviewed your contracts with processors to make sure both parties are well prepared and your risk from outsourcing is minimised. If you are a processor you need to look at your contracts to protect your interests, in line with for the new responsibilities and liability imposed upon your organisation by the GDPR.
Prior to the GDPR, responsibility for compliance rested almost entirely with the data controller, who was liable if things went wrong. Now, under the GDPR, the Controller and Processor could both be held responsible for compliance with the Regulation, and for compensating any damage (material or non-material) suffered by data subjects in the EU. A controller or processor shall only be exempted if they can prove they are ‘not in any way responsible’. And if the controller goes out of business, the processor carries the full burden.
Any sub-contractors to the data processor must be notified to controller and should be bound by same terms as main processor.
In time there will be Data Protection Certification Schemes developed by the regulators, which will help define and maintain high standards, however these schemes will not be compulsory.
Data Processors will also have to consider whether they should appoint a Data Protection Officer. This may well become a requirement of procurement contracts.
Additional tasks processors are required to handle
There are many additional tasks which processors will have to have processes in place for, but here are a few important ones to consider.
1. Handling requests for erasure of personal data. The right to erasure enables EU data subjects to request personal data concerning them to be erased ‘without undue delay’. Controllers must inform data processors of any erasure request and, if they hold data on that individual, they must comply with that request.
2. Data transfers of EU data subjects’ information and processing outside of the EU.
3. Record keeping. If a data controller or processor has more than 250 employees then detailed records of the processing undertaken need to be kept; a ‘Record of Processing Activities’. Smaller businesses are exempt unless the processing carried out carries a high privacy risk or involves sensitive data.
What must contracts contain?
• The contract term
• The categories of personal data and the nature of the processing
• The rights and duties of each party
• Processing can only be carried out with documented instructions of the controller
• The processor must provide sufficient guarantees as to technical and organisational measures to ensure GDPR compliance and the rights of data subjects
• Staff confidentiality
• Approval of sub-contractors by the data controller
• Assistance from the processor to handle the rights of data subjects (e.g. subject access requests, right to erasure, etc.)
• Assistance with conducting Data Privacy Impact Assessments and with Privacy By Design
• Deletion or return of data on termination
• Right for the data controller to audit the processor
• The processor must “call out” any instructions from the controller which could lead to a breach of the GDPR. Not just regarding an authorised disclosure but any type of infringement of the regulation.
• Standard contractual clauses may be drafted by The Commission and by regulators.
Processor Terms Template
Richard Jones of Clifford Chance and Ross McKean from DLA Piper and members of the International Regulatory Strategy Group (IRSG) Data sub-group have worked to produce a GDPR Article 28 (processor terms) example template.
What if the worst happens?
The GDPR states: Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
Where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage.
The new world of shared liability
Without doubt, the GDPR changes the relationship between controllers and processors, and spread the risk of non-compliance with the Regulation. To be competitive, processors handling EU data will have to show that they are ready to assist the controller with the many responsibilities the GDPR brings.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.