ICO (UK Data Protection Authority) issues guidelines on the practical application of Article 28 of the GDPR: contracts for the processing of personal data
Under Article 28 of the General Data Protection Regulation (“GDPR”), controllers must only appoint processors who can provide “sufficient guarantees” to meet the requirements of the GDPR. Processors must only act on the documented instructions of the controller and they can be held directly responsible for non-compliance with the GDPR obligations, or the instructions provided by the controller, and may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.
On 13 September 2017, the UK’s supervisory authority, the Information Commissioner’s Office (“ICO”), published draft guidance (the “Guidance”) on contracts between controllers and processors under Article 28 GDPR.
The Guidance aims to provide the ICO’s preliminary opinion on the content of the contracts for the processing of personal data. Leaving the description of the single requirements to the main source, the ICO provides an interesting “must have” check-list to help controllers and processors assess their contracts.
According to the Guidance, a contract must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, the obligations and rights of the controller.
Other compulsory terms include:
- the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
- the processor must ensure that people processing the data are subject to a duty of confidence;
- the processor must take appropriate measures to ensure the security of processing (Article 32 GDPR);
- the processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
- the processor must assist the data controller in providing the subject access and allowing data subjects to exercise their rights under the GDPR (Articles 15-22 GDPR) ;
- the processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing (Article 32 GDPR), the notification of personal data breaches (Article 33 GDPR) and data protection impact assessments (Article 35 GDPR);
- the processor must delete or return all personal data to the controller as requested at the end of the contract; and
- the processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if asked to do something infringing the GDPR or other data protection law of the EU or a member state.
As a matter of good practice, contracts:
- state that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR; and
- reflect any indemnity that has been agreed upon.
In addition to the above, the processor must:
- only act on the written instructions of the controller (Article 29 GDPR);
- not use a sub-processor without the prior written authorisation of the controller (Article 28.2 GDPR);
- co-operate with supervisory authorities (such as the ICO) in accordance with Article 31 GDPR;
- ensure the security of its processing in accordance with Article 32 GDPR;
- keep records of its processing activities in accordance with Article 30.2 GDPR;
- notify any personal data breaches to the controller in accordance with Article 33 GDPR;
- employ a data protection officer if required in accordance with Article 37 GDPR; and
- appoint (in writing) a representative within the European Union if required in accordance with Article 27 GDPR.
A processor should also be aware that:
- it may be subject to investigative and corrective powers of supervisory authorities (such as the ICO) under Article 58 of the GDPR;
- if it fails to meet its obligations, it may be subject to an administrative fine under Article 83 of the GDPR;
- if it fails to meet its GDPR obligations it may be subject to a penalty under Article 84 of the GDPR; and
- if it fails to meet its GDPR obligations it may have to pay compensation under Article 82 of the GDPR.
Certainly, the GDPR allows standard contractual clauses issued by the EU Commission or a Supervisory Authority (such as the ICO) to be used in contracts between controllers and processors. No standard clauses are, however, currently available.
The Guidance is merely a draft, representing ICO’s view on Article 28 GDPR, which needs to evolve to take account of future guidelines issued by relevant European authorities.
With this in mind, businesses will have to continue their GDPR compliance process, making sure specific written contracts between controllers and processors (or sub-processors) contain the minimum set of requirements described above.