ICO consults on GDPR guidance on contracts and liabilities

The Information Commissioner's Office (ICO) is consulting on draft guidance on contracts and liabilities between controllers and processors under the General Data Protection Regulation (GDPR).

The ICO has set out what must be included in the contract to ensure GDPR compliance including what should be included as good practice. Although not required by the GDPR, the ICO suggests that the processor's direct responsibilities and liabilities under the GDPR are covered in the contract explicitly and the extent of any indemnity specified.

When is a contract needed?

Under the GDPR it will be a general requirement to have written contracts in place between controllers and processors. The controller must be very clear at the outset about the extent of the processing and what is being contracted out to the processor, so general and broad contract terms will not be sufficient. This is quite a significant legal development, however many of the required terms may already be included in existing processing contracts and the parties may supplement the minimum contractual terms specified in the GDPR with their own terms.

Appointing sub-processors

Processors may not appoint sub-processors without the controller's prior written authorisation. If authorisation is granted, the controller must be made aware of any changes made so they have an opportunity to object. The same minimum contract terms must be enforced on the sub-processor and the original processor remains liable to the controller for the sub-processor's compliance.

Standard contract clauses

Controllers must only appoint processors who can provide "sufficient guarantees" that GDPR compliance will be met and data subjects' rights protected. In the future, approved codes of conduct or certification schemes may be developed to help controllers satisfy this requirement, which could include standard contractual clauses as produced by the European Commission or a supervisory authority such as the ICO.

Responsibilities and liabilities 

  • The controller is responsible for ensuring that personal data is processed in accordance with the GDPR.
  • The controller may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
  • The controller will be fully liable for any damage caused by non-compliant processing unless it can prove that it was "not in any way responsible for the event giving rise to the damage".
  • The controller can claim back some or all of the compensation from the processor to the extent that it is liable.
  • Processors must only act on the documented instructions of a controller.
  • Processors have contractual obligations to the controller and direct responsibilities under the GDPR.
  • Processors can be held directly liable to pay compensation to data subjects or be subject to administrative fines or other sanctions.
  • A processor will not be liable if it can prove it is not "in any way responsible for the event giving rise to the damage".
  • A processor may claim back from a controller part of the compensation it paid for a controller's share of liability. 

Next steps

The ICO recommends businesses review existing and template contracts before 25 May 2018, when the GDPR comes into force, in order that compliance is ensured. Processors should also be aware of, and understand, the reasons for the changes and their new responsibilities and liabilities.

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.

Want to know more?

Click here to view SA Law's dedicated GDPR hub page for more practical information, views and insight from our expert teams. 

Read our latest views & insight about the GDPR
GDPR Numbers Image SA Law
Views & Insights
A new age: working from home and GDPR

What GDPR issues may arise from working from home and what you should do to reduce risk and stay compliant.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and the coronavirus pandemic

Good news: The ICO provides clarity on common areas of data concerns during the unprecedented coronavirus pandemic.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and school photographs

ICO shares guidance following two schools being reprimanded for distributing photographs of pupils without parents’ consent.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR one year on: make sure your small business is compliant

Chris Cook shares vital tips for SMEs who haven't done anything to abide by GDPR, and how they can start going about compliance.

Read More
GDPR Numbers Image SA Law
Views & Insights
GDPR one year on

Subject access requests and complaints have been commonplace since the GDPR came into effect. Find out more about the trends and traps.

Read More
SA Law Red arrow neon light image
Views & Insights
What to expect in Data Protection Law in 2019

Our Data Protection Team highlight what we can expect to see from the Data Protection Act in 2019 and the potential impact of E-Privacy Regulations.

Read More
SA Law Red arrow neon light image
Views & Insights
Google issued with £44m fine over GDPR breach

Head of Employment and Data Protection, Chris Cook, explains Google's GDPR breach that led to landmark £44 million fine.

Read More
SA Law Red arrow neon light image
Views & Insights
What is the difference between a controller and processor under the Data Protection Act 2018?

Partner and Head of Employment & Data Protection, Chris Cook describes how to distinguish between a processor and controller under GDPR.

Read More

© SA LAW 2020

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.