Contracts with third parties
The GDPR provides that where a third party (i.e. a data processor) is to carry out data processing on behalf of a data controller the following criteria need to be satisfied:
- the data controller must ensure that it has obtained sufficient guarantees from the data processor to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects
- the data processor must not engage another data processor without the prior specific or general written authorisation of the data controller
- the processing must be governed by a legally binding contract in place between the data controller and the data processor
The contract between the data controller and the data processor should contain the following:
The contract should set out:
- Subject-matter and duration of the processing
- Nature and purpose of the processing
- Type of personal data
- Categories of data subjects
- Obligations and rights of the controller and processor
- Documented instructions (where possible)
2. Obligations on the data processor
The data processor must be required by the contract to:
- Only process personal data on documented instructions from the data controller
- Immediately inform the data controller if (in the data processor’s opinion) an instruction infringes UK or EU data protection law.
- Provide sufficient guarantees to implement appropriate technical and organisational measures to ensure their processing is compliant with data protection law. This includes making available all information necessary for the data controller to demonstrate compliance with the obligations around appointing data processors.
- Allow for and contribute to audits and inspections (these can be carried out by an auditor appointed by the data controller).
- Ensure that anyone it authorises to process the personal data is under a confidentiality obligation. This can be a contractual commitment by the individual, or a statutory obligation.
- Delete or return all personal data to the data controller after the end of the service provision. This extends to deleting all existing copies, unless EU or UK law requires storage of that personal data.
3. Providing assistance to the data controller
The contract should require the data processor to provide the following assistance to the data controller:
- In responding to data subject requests. The extent of this obligation takes into account the nature of the processing. This can extend beyond simple access requests, to portability, rectification, erasure, and objections.
- With ensuring compliance with security obligations, taking account of risk, which may include pseudonymisation, encryption, and regular testing.
- With ensuring compliance with breach notification obligations, the data controller is required to notify the ICO within 72 hours of becoming aware, and processors are required to notify controllers without undue delay.
- With carrying out Data Protection Impact Assessments (DPIAs). This is likely to focus around providing information on security measures, and notifying the data controller if any change in the data processor’s procedures may require a DPIA.
4. Restrictions on sub-processing
The contract should provide that the data processor will not appoint another data processor unless:
- They have the prior written consent of the data controller.
- They impose the same obligations on that data processor and receive sufficient guarantees around compliance. In any event, if that other data processor fails to comply with its obligations, the initial data processor remains liable to the data controller.
Contracts between processors and sub-processors or multiple controllers
Where personal data is being shared between a data processor and a sub-processor or between two or more data controllers, similar contracts to those described above should be put in place to govern that data sharing relationship.
Existing contracts should be reviewed to determine whether they are compliant with the obligations under the GDPR and if they are not compliant they should either be replaced or supplemented with additional provisions.
Where data is being transferred outside of the EEA, the parties may put in place a model clauses contract to cover the transfer. However, it is likely that updated model clauses will be issued in due course. For more information on model clauses i