The Information Commissioner's Office (ICO) is consulting on draft guidance on contracts and liabilities between controllers and processors under the General Data Protection Regulation (GDPR).
The ICO has set out what must be included in the contract to ensure GDPR compliance including what should be included as good practice. Although not required by the GDPR, the ICO suggests that the processor's direct responsibilities and liabilities under the GDPR are covered in the contract explicitly and the extent of any indemnity specified.
When is a contract needed?
Under the GDPR it will be a general requirement to have written contracts in place between controllers and processors. The controller must be very clear at the outset about the extent of the processing and what is being contracted out to the processor, so general and broad contract terms will not be sufficient. This is quite a significant legal development, however many of the required terms may already be included in existing processing contracts and the parties may supplement the minimum contractual terms specified in the GDPR with their own terms.
Appointing sub-processors
Processors may not appoint sub-processors without the controller's prior written authorisation. If authorisation is granted, the controller must be made aware of any changes made so they have an opportunity to object. The same minimum contract terms must be enforced on the sub-processor and the original processor remains liable to the controller for the sub-processor's compliance.
Standard contract clauses
Controllers must only appoint processors who can provide "sufficient guarantees" that GDPR compliance will be met and data subjects' rights protected. In the future, approved codes of conduct or certification schemes may be developed to help controllers satisfy this requirement, which could include standard contractual clauses as produced by the European Commission or a supervisory authority such as the ICO.
Responsibilities and liabilities
- The controller is responsible for ensuring that personal data is processed in accordance with the GDPR.
- The controller may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
- The controller will be fully liable for any damage caused by non-compliant processing unless it can prove that it was "not in any way responsible for the event giving rise to the damage".
- The controller can claim back some or all of the compensation from the processor to the extent that it is liable.
- Processors must only act on the documented instructions of a controller.
- Processors have contractual obligations to the controller and direct responsibilities under the GDPR.
- Processors can be held directly liable to pay compensation to data subjects or be subject to administrative fines or other sanctions.
- A processor will not be liable if it can prove it is not "in any way responsible for the event giving rise to the damage".
- A processor may claim back from a controller part of the compensation it paid for a controller's share of liability.
Next steps
The ICO recommends businesses review existing and template contracts before 25 May 2018, when the GDPR comes into force, in order that compliance is ensured. Processors should also be aware of, and understand, the reasons for the changes and their new responsibilities and liabilities.
