Under Article 28 of the General Data Protection Regulation (“GDPR”), controllers must only appoint processors who can provide “sufficient guarantees” to meet the requirements of the GDPR. Processors must only act on the documented instructions of the controller and they can be held directly responsible for non-compliance with the GDPR obligations, or the instructions provided by the controller, and may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.
On 13 September 2017, the UK’s supervisory authority, the Information Commissioner’s Office (“ICO”), published draft guidance on contracts between controllers and processors under Article 28 GDPR.
The Guidance aims to provide the ICO’s preliminary opinion on the content of the contracts for the processing of personal data. Leaving the description of the single requirements to the main source, the ICO provides an interesting “must have” check-list to help controllers and processors assess their contracts.
According to the Guidance, a contract must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, the obligations and rights of the controller. Other compulsory terms include:
As a matter of good practice, contracts:
A processor should also be aware that:
Certainly, the GDPR allows standard contractual clauses issued by the EU Commission or a Supervisory Authority (such as the ICO) to be used in contracts between controllers and processors. No standard clauses are, however, currently available.
The Guidance is merely a draft, representing ICO’s view on Article 28 GDPR, which needs to evolve to take account of future guidelines issued by relevant European authorities. With this in mind, businesses will have to continue their GDPR compliance process, making sure specific written contracts between controllers and processors (or sub-processors) contain the minimum set of requirements described above.
Source: ICT Legal Consulting