ICO is Consulting on its GDPR Guidance Regarding Contract Between Controllers and Processors

On 13 September 2017, the UK Data Protection Authority – the Information Commissioner’s Office (ICO) – opened a public consultation to get comments on its GDPR guidance addressing the contracts that controllers and processors will need to have in place when the GDPR comes into force on 25 May 2018.

Indeed, one of the numerous obligations created by the new European Regulation (in Article 28) requires that controllers and processors have a written contract in place to stipulate, among other things, that the processor will not process data other than in accordance with the documented instructions from the controller, and ensure that the processor assists the controller in fulfilling their GDPR obligations while addressing the use of sub-processor, security controls in place, data transfers, and audit.

The ICO guidance is one of the first on the topic and will likely not be the last as this new requirement has been generating some level of distress for companies that struggle in understanding what truly needs to be included in those contracts, whether the necessary provisions can be included in an existing contract, or whether it requires a separate agreement.

The guidance sets out how the ICO interprets the GDPR and their general recommended approach to compliance and good practice. It also specifies that the guidance will be updated in the future, taking into account additional guidelines that will come out, their experience in applying the law as from May 2018, and the relevant developments and stakeholders’ feedback.

The written contract between the controller and the processor should include the following:

  • The subject matter and duration of the processing;
  • The nature and purpose of the processing;
  • The type of personal data and categories of data subject; and
  • The obligations and rights of the controller.

Contracts must also include as a minimum the following terms, requiring the processor to:

  • Only act on the written instructions of the controller;
  • Ensure that people processing the data are subject to a duty of confidence;
  • Take appropriate measures to ensure the security of processing;
  • Only engage sub-processors with the prior consent of the controller and under a written contract;
  • Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • Delete or return all personal data to the controller as requested at the end of the contract; and
  • Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

The guidance further explains that the GDPR now also allows controllers and processors to use standard contractual clauses issued by the European Commission or a supervisory authority (such as the ICO). Such standard clauses can form part of a certification scheme or approved code of conduct, but while this is a significant change in the law, it should make little difference in practice at the beginning as no standard clauses are currently available.

Similarly, the GDPR allows the use of adherence by a processor to an approved code of conduct or certification scheme. This will help controllers demonstrate that they have chosen a processor providing “sufficient guarantees” that it will process the personal data in accordance with the GDPR, but again, no such schemes have been approved so far, and is therefore not very helpful in practice at the moment.

The real difference with the GDPR is that processors now have direct responsibilities and obligations outside the terms of the contract. Processors can be held directly responsible for non-compliance with these obligations, or the contract terms, and may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.

Finally, the guidance sets out a helpful contracts checklist (Pages 26 and 27 of the Guidance) for companies to verify their contracts meet the requirements of the GDPR.

The consultation will be open until 10 October 2017 and a form is available to easily submit a response.