Guidelines on the application of Article 28 of GDPR

Under Article 28 of the General Data Protection Regulation (“GDPR”), controllers must only appoint processors who can provide “sufficient guarantees” to meet the requirements of the GDPR. Processors must only act on the documented instructions of the controller and they can be held directly responsible for non-compliance with the GDPR obligations, or the instructions provided by the controller, and may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.

On 13 September 2017, the UK’s supervisory authority, the Information Commissioner’s Office (“ICO”), published draft guidance on contracts between controllers and processors under Article 28 GDPR.

Main issues

The Guidance aims to provide the ICO’s preliminary opinion on the content of the contracts for the processing of personal data. Leaving the description of the single requirements to the main source, the ICO provides an interesting “must have” check-list to help controllers and processors assess their contracts.

According to the Guidance, a contract must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, the obligations and rights of the controller. Other compulsory terms include:

  • The processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
  • The processor must ensure that people processing the data are subject to a duty of confidence;
  • The processor must take appropriate measures to ensure the security of processing (Article 32 GDPR);
  • The processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
  • The processor must assist the data controller in providing the subject access and allowing data subjects to exercise their rights under the GDPR (Articles 15-22 GDPR) ;
  • The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing (Article 32 GDPR), the notification of personal data breaches (Article 33 GDPR) and data protection impact assessments (Article 35 GDPR);
  • The processor must delete or return all personal data to the controller as requested at the end of the contract;
  • The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if asked to do something infringing the GDPR or other data protection law of the EU or a member state.

As a matter of good practice, contracts:

  • State that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR;
  • Reflect any indemnity that has been agreed upon.

A processor should also be aware that:

  • It may be subject to investigative and corrective powers of supervisory authorities (such as the ICO) under Article 58 of the GDPR;
  • If it fails to meet its obligations, it may be subject to an administrative fine under Article 83 of the GDPR;
  • If it fails to meet its GDPR obligations it may be subject to a penalty under Article 84 of the GDPR;
  • If it fails to meet its GDPR obligations it may have to pay compensation under Article 82 of the GDPR.

Certainly, the GDPR allows standard contractual clauses issued by the EU Commission or a Supervisory Authority (such as the ICO) to be used in contracts between controllers and processors. No standard clauses are, however, currently available.

Practical actions/implications

The Guidance is merely a draft, representing ICO’s view on Article 28 GDPR, which needs to evolve to take account of future guidelines issued by relevant European authorities. With this in mind, businesses will have to continue their GDPR compliance process, making sure specific written contracts between controllers and processors (or sub-processors) contain the minimum set of requirements described above. 

Source: ICT Legal Consulting  ICT Legal Consulting

News

SMESEC project Open Call for SMEs and SME associations
SMESEC has released an open call for SMEs and SME associations in order to validate SMESEC framework and at the same time improve their systems’ security.
 
SMESEC is inviting SMEs to participate in the validation of the SMESEC framework. By participating you not only have influence on the evaluation of the SMESEC framework, but also improve your own company security and get up to €20.000 of funds!

Future Events

CYBERUK 2019
24/04/2019 to 25/04/2019
Image:

CYBERUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors. You will be briefed on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.

CYBERUK 2019
24/04/2019 to 25/04/2019
Image:

Where: Scottish Event Campus (SEC), Glasgow
When: 24-25 April 2019
 
CYBERUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors. You will be briefed on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.