Under Article 28 of the General Data Protection Regulation (“GDPR”), controllers must only appoint processors who can provide “sufficient guarantees” to meet the requirements of the GDPR. Processors must only act on the documented instructions of the controller and they can be held directly responsible for non-compliance with the GDPR obligations, or the instructions provided by the controller, and may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.
On 13 September 2017, the UK’s supervisory authority, the Information Commissioner’s Office (“ICO”), published draft guidance on contracts between controllers and processors under Article 28 GDPR.
The Guidance aims to provide the ICO’s preliminary opinion on the content of the contracts for the processing of personal data. Leaving the description of the single requirements to the main source, the ICO provides an interesting “must have” check-list to help controllers and processors assess their contracts.
According to the Guidance, a contract must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, the obligations and rights of the controller. Other compulsory terms include:
As a matter of good practice, contracts:
A processor should also be aware that:
Certainly, the GDPR allows standard contractual clauses issued by the EU Commission or a Supervisory Authority (such as the ICO) to be used in contracts between controllers and processors. No standard clauses are, however, currently available.
The Guidance is merely a draft, representing ICO’s view on Article 28 GDPR, which needs to evolve to take account of future guidelines issued by relevant European authorities. With this in mind, businesses will have to continue their GDPR compliance process, making sure specific written contracts between controllers and processors (or sub-processors) contain the minimum set of requirements described above.
Source: ICT Legal Consulting
The SOCCRATES project is conducting an elaborate series of webinars to share its vision and insights with interested audiences. The first 5 webinars were centered around the SOCCRATES platform components and took place between October 2020 and June 2021. The second series will run until June of 2022 and address results achieved at the (Mnemonic, Vattenfall and Shadowserver) pilot sites.
The European Commission puts a great emphasis on the twin transition to a green and digital economy as the way forward for Europe.
In many sectors, SMEs can use enabling technologies to redesign their operations and become green(er). Standards are fundamental for sustainable technology as they provide reliable, consistent building blocks that can be universally understood and adopted. These building blocks aid in promoting compatibility and interoperability and speed up time-to-market.