On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”). The ICO is consulting on the Guidance until 10 October. We summarize the key aspects of the Guidance below.
Under the GDPR, whenever a controller users a processor it needs to have a written contract in place. This is important so the parties understand their responsibilities and liabilities. The mandatory requirements of the data processing agreements are set out in Article 28 of the GDPR. The requirements under the GDPR build upon the general requirements under the Data Protection Directive that (i) a processor act only upon a controller’s instructions and (ii) to take appropriate measures to keep the personal data secure. Any contracts in place on 25 May 2018 must meet the new GDPR requirements, and the ICO recommends that existing contracts and template terms are reviewed and amended to comply with the GDPR.
The key requirements of the GDPR in respect of data processing terms are:
- to have a written contract in place when appointing a processor (whether as a controller or a processor appointing a sub-processor);
- the contract must set out:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the obligations and rights of the controller.
- the contract must contain the following minimum terms, requiring the processor to:
- only act on the written instructions of the controller;
- ensure that people processing the data are subject to a duty of confidence;
- take appropriate measures to ensure the security of processing;
- only engage sub-processors with the prior consent of the controller and under a written contract;
- assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- delete or return all personal data to the controller as requested at the end of the contract; and
- submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a Member State.
Much of the ICO’s guidance on the above mirrors the GDPR itself, controllers and processors should note the following matters from the ICO:
- The ICO recommends setting specific details of processing as listed in the second bulled above, noting that controllers need to be very clear from the outset and cannot rely upon general catch-all terms. This approach could be seen to be somewhat heavy handed, particularly if the nature of the processing is self-evident from the nature of the services.
- A processor’s obligation to keep personal data confidential extends to all employees, temporary workers and agency workers.
- The processor’s obligations to ensure adequate security under Article 32 of the GDPR will be subject to separate guidance on security matters, and for now the ICO’s existing guidance under the Data Protection Act is sufficient.
- A processor’s obligations to assist the controller under Article 28(3)(f) are “not infinite” and are limited by taking into account the nature of the processing and information available to the processor.
The ICO does not provide any material guidance on the following matters which are often contentious during the negotiation of GDPR-compliant data-processing terms:
- How should a right to object to a change in subcontractors manifest? Termination?
- Is it possible to limit a controller’s right to audit a data processor? What pragmatic controls may be used by a processor to comply with this requirement (e.g. limiting the duration and scope of audits, whether third party certifications are a permissible substitute for third party certifications and so on). The Guidance appears to suggest that the processor may be able to provide information or submit to audits to satisfy the requirements under Article 28(3)(h).
The GDPR allows the use of standard contractual clauses for data processing issued by the European Commission or a Supervisory Authority (such as the ICO), although none have been issued as yet.
Controller responsibilities and liabilities
Under the GDPR, controllers may only use processors who provide sufficient guarantees that they will meet the requirements of the GDPR — with such guarantees typically being put in place by way of a contract. An approved code of conduct or certification scheme may also be available to help a controller demonstrate that it has chosen a processor who provides sufficient guarantees to process the persons data in accordance with the GDPR, although again, no such schemes have been approved so far.
The Guidance notes that controllers are ultimately responsible for ensuring that personal data is processed in accordance with the GDPR. Unless a controller can demonstrate that it is “not in any way responsible for the event giving rise to the damage” it will be fully liable for any damage caused by non-compliant processing to ensure a data subject receives effective compensation.
Again, the Guidance avoids some of the more challenging aspects of implementing risk allocation provisions relating to joint and several liability under the GDPR such as:
- Whether limitations and exclusions of liability could operate to prevent a party ‘claiming back’ losses under the joint and several liability regime.
- What control of defense and related provisions may be permissible under the GDPR?
Processor responsibilities and liabilities
The Guidance provides a helpful summary of processors’ responsibilities and liabilities in their own right:
- A processor must only act on the documented instructions of a controller.
- If a processor determines the purpose and means of processing (rather than acting only on the instructions of the controller) then it will be considered to be a controller and will have the same liability as a controller.
- In addition to its contractual obligations to the controller, under the GDPR a processor also has the following direct responsibilities:
- not to use a sub-processor without the prior written authorization of the data controller;
- to co-operate with supervisory authorities (such as the ICO);
- to ensure the security of its processing;
- to keep records of processing activities;
- to notify any personal data breaches to the data controller;
- to employ a data protection officer; and
- to appoint (in writing) a representative within the European Union if needed.
- If a processor fails to meet any of these obligations, or acts outside or against the instructions of the controller, then it may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
- If a processor uses a sub-processor then it will, as the original processor, remain directly liable to the controller for the performance of the sub-processor’s obligations.
On contract liabilities, the ICO notes that:
- Contracts could specify indemnities in respect of data processing and that professional advice should be obtained on this point.
- Under contract a processor may be directly liable for any failure to meet the terms of the relevant agreement with a controller.
- Where a sub-processor is used, there are potentially three parties liable under the GDPR toward a data subject (controller, processor and sub-processor).
While the above is a helpful start, data controllers and processors need to assess how the data processing terms fit within the wider risk allocation framework in their agreement including representations, warranties, indemnities, limitations and exclusions of liability and insurance.