+44 (0) 1534 78 00 77
info@salvus-data.com
Book an appointment

GDPR: Controller Processor Contracts & Liabilities

GDPR Controller Processor Contract

This post is presented for information purposes only and references the GDPR, which may differ from the Data Protection (Jersey) Law 2018.
The content of this post does not constitute legal advice and should not be relied upon as such.
Consult your legal counsel for your particular legal clarity and understanding of your rights and obligations in order to comply with any laws and/or regulations.

For guidance on Jersey law, follow this link: https://www.oicjersey.org/wp-content/uploads/2018/04/2018.03.13-Duties-of-Data-Controllers.pdf

Who is a Data Controller under the GDPR?

A data controller determines the purposes and means of processing personal data. A data controller must be recognised as a “person” in law including

  • Individuals
  • Organisations
  • Other incorporated and unincorporated bodies of persons

Most data controllers will be organisations but can also be individuals (for example, people who are self-employed).

Who is a Data Processor under the GDPR?

A data processor is any person (other than an employee of the data controller) responsible for processing personal data on behalf of a controller.

Most data processors, will also be data controllers because of the processing necessary for their own purposes (e.g. sales and HR).

GDPR Controller and Processor Liabilities

The GDPR gives processors responsibilities and liabilities in their own right; Processors, as well as controllers, may now be liable to pay damages or be subject to fines or other penalties.

Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

Similarly, if a processor employs another processor (Sub-Processor) it needs to have a written contract in place.

Processors must only act on the documented instructions of a controller. They will, however, have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

Data Processor Requirements under GDPR

Under GDPR, data processors must

  • only act on the written instructions of the controller (Article 29);
  • not use a sub-processor without the prior written authorisation of the controller (Article 28.2);
  • co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
  • ensure the security of its processing in accordance with Article 32;
  • keep records of its processing activities in accordance with Article 30.2;
  • notify any personal data breaches to the controller in accordance with Article 33;
  • employ a data protection officer if required in accordance with Article 37; and
  • appoint (in writing) a representative within the European Union if required in accordance with Article 27.

Data Processor Liabilities under GDPR

Processors need to be aware that:

  • it may be subject to investigative and corrective powers of supervisory authorities (such as the ICO) under Article 58 of the GDPR;
  • If it fails to meet its obligations, it may be subject to an administrative fine under Article 83 of the GDPR;
  • if it fails to meet its GDPR obligations it may be subject to a penalty under Article 84 of the GDPR;
  • if it fails to meet its GDPR obligations it may have to pay compensation under Article 82 of the GDPR;
  • A processor must only act on the documented instructions of a controller. If a processor determines the purpose and means of processing (rather than acting only on the instructions of the controller) then it will be considered to be a controller and will have the same liability as a controller (Article 28.10).

Controller Processor Contracts

The GDPR makes written contracts between controllers and processors a general requirement.

Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place.

The GDPR envisages that adherence by a processor to an approved code of conduct or certification scheme (i.e. ISO 27001, SOC 1,2,3, PCI-DSS, etc.) may be used to help controllers demonstrate that they have chosen a suitable processor.

Standard contractual clauses may form part of a code or scheme, though no codes or schemes are currently available from the UK ICO/EU.

Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help both to comply with and evidence their compliance with the GDPR.

The use of contracts by controllers and processors may increase data subjects’ trust in the protection of their personal data.

Controller Processor Contracts Checklist

Compulsory details:

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subject; and
  • the type of personal data and categories of data subject; and

Compulsory terms:

  • the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
  • the processor must ensure that people processing the data are subject to a duty of confidence (i.e. Non-Disclosure Agreement);
  • the processor must take appropriate measures to ensure the security of processing (i.e. ID & Access Management, Encryption, Data Loss Prevention);
  • the processor must only engage a sub-processor with the prior consent of the data controller and a written contract between the processor and sub-processor;
  • the processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • the processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments (Articles 32-36);
  • the processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their obligations (Articles 24-31), and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state; and
  • the processor must delete or return all personal data to the controller as requested at the end of the contract.

Good practice:

  • state that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR; and
  • reflect any indemnity that has been agreed between the controller and processor.

Got questions about GDPR

We offer a free 30-minute consultation with a certified GDPR Practitioner to anyone who needs some help in any area of GDPR compliance.

GDPR Questions