Out-Law News 3 min. read
14 Sep 2017, 4:10 pm
Under the General Data Protection Regulation (GDPR), businesses that engage third parties to process personal data on their behalf will face new obligations in respect of the detail of those contracts.
In new draft GDPR guidance on contracts and liabilities between controllers and processors (28-page / 382KB PDF) it has opened for consultation, the UK's Information Commissioner's Office (ICO) said some existing contracts may need to be updated to reflect the new requirements.
"Any contracts in place on 25 May 2018 will need to meet the new GDPR requirements," the ICO said. "You should therefore check your existing contracts to make sure they contain all the required elements. If they don’t, you should get new contracts drafted and signed. You should review all template contracts you use. It would also be prudent to make sure that your processor understands the reasons for the changes and the new obligations that the GDPR puts on it. Your processor should understand that it may be subject to an administrative fine or other sanction if it does not comply with its obligations."
Currently, businesses that outsource personal data processing are obliged to have a contract in place with their data processors to bind those processors to requirements on keeping the data secure.
Under the GDPR, the data processing contracts that need to be put in place will need to be broader in scope, the ICO said.
"The contract must state details of the processing, and must set out the processor’s obligations," the watchdog said. "This includes the standards the processor must meet when processing personal data and the permissions it needs from the controller in relation to the processing. This is a significant change in what is required by law, but in practice you may already include many of the new contract requirements in your existing contracts, for commercial reasons or as good practice under the DPA (Data Protection Act)."
The ICO's draft guidance explained what provisions should be contained in GDPR-compliant data processing contracts, and urged data controllers to be "very clear from the outset about the extent of the processing that you are contracting out".
In future, new standard clauses that address the requirements for data processing contracts under the GDPR could be published by the European Commission or data protection authorities, the ICO said. No such clauses currently exist, however, it said.
Under the GDPR, businesses selecting third party data processors must ensure that those service providers "can provide 'sufficient guarantees' in terms of its resources and expertise, to implement technical and organisational measures to comply with the GDPR and protect the rights of data subjects", the ICO said. Data processors that adhere to codes of conduct or that participate in certification schemes can help businesses satisfy themselves that they meet those requirements, it said.
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "The onus is on the European Commission and data protection authorities, like the ICO, to establish new standard clause contracts to help businesses comply with the new requirements for data processing contracts. It is also notable that no codes of conduct or certification schemes are yet available that could help provide assurances of compliance. There are excellent opportunities for trade associations to develop and explore the potential of these mechanisms to build trust and compliance in their industry."
The ICO's guidance also addressed issues of liability. The watchdog said that businesses that outsource personal data processing do not outsource the liabilities that are associated with that activity.
"Unless you can prove that you were 'not in any way responsible for the event giving rise to the damage', you will be fully liable for any damage caused by non-compliant processing, regardless of your use of a processor," the watchdog said. "This ensures that the data subject is properly compensated. You may however be able to claim back all or part of the amount of compensation from your processor, to the extent that it is liable."
The draft guidance also warned data processors only to act on the "documented instructions" of data controllers.
"If a processor determines the purpose and means of processing (rather than acting only on the instructions of the controller) then it will be considered to be a controller and will have the same liability as a controller," the ICO said.
Processors will be directly subject to a raft of GDPR provisions, as well as accountable for non-compliance under the terms of their contracts, it said.
The ICO said: "Your processor also has some direct responsibilities and liabilities under the GDPR. When drawing up and negotiating a contract for data processing, it is good practice to make sure that your processor understands this. You may also wish to explicitly cover this in your contract, although the GDPR doesn’t require you to do so."
"For example you may want to include a clause to specify that nothing within the contract relieves your processor of its own direct responsibilities and liabilities under the GDPR – and to say what these are. Additionally the contract could specify the extent of any indemnity you have negotiated. In any case we would recommend that you and your processor obtain your own professional advice on this point," it said.
The ICO's consultation on the draft guidance is open until 10 October.