Many companies have started the potentially lengthy process of auditing their service provider contracts to make sure that they comply with the requirements of the General Data Protection Regulation, which comes into force on May 25, 2018.
Fortunately for those companies that are trying to kick-start their contract audit process, the UK Information Commissioner’s Office (ICO) is forging ahead with its promised series of guidance documents to help companies get ready for the GDPR. The latest addition is a draft guidance note on the GDPR’s requirements for contracts between data controllers (the folks who make decisions about what personal data will be processed, and for what purposes) and data processors (the folks who carry out processing activities on behalf of a data controller).
The requirement that there be a contract between data controllers and their data processors is not itself new. Current EU data protection law requires data controllers to have contracts with data processors governing the security of the personal data held by the processor and requiring processor to process the personal data solely in accordance with the instructions of the controller.
But the contract requirements under the GDPR are much more expansive. Article 28 requires that the contract between the controller and processor include the following:
- A description of the subject matter and duration of the processing;
- A description of the nature and purpose of the processing;
- A description of the type of personal data and categories of data subjects;
- A description of the obligations and rights of the controller;
- The processor’s obligations to:
- process the personal data only on documented instructions from the controller
- transfer the personal data to a country outside of the European Economic Area (EEA) only on the controller’s instructions, unless required to do so by Union or Member State law to which the processor is subject (in which case the processor generally must inform the controller of the requirement);
- ensure that the relevant staff are bound by confidentiality obligations;
- comply with the GDPR’s security requirements (Art. 32);
- involve a sub-processor only with the controller’s consent;
- contractually flow down their obligations to any sub-processors;
- assist the controller with data subject requests, objections, etc.
- delete or return (at the controller’s election) the personal data to the controller when the services end (subject to any laws that require the personal data to be stored);
- provide to the controller all information needed to demonstrate the processor’s compliance with these obligations and to cooperate in audits by the controller – as well as assist as relevant to audits of the controller’s own data protection compliance; and
- tell the controller if the processor thinks that any of the controller’s instructions violate the GDPR or other applicable EU data protection laws.
The ICO’s guidance expands on these requirements and usefully explains how they relate to the new obligations imposed by the GDPR on data controllers and data processors. If you are interested in submitting feedback on the guidance, the ICO is seeking comments until October 10, 2017, after which the ICO will revise and finalize the guidance.
And of course, if you have concerns about the GDPR’s controller-processor contract requirements, please get in touch with a member of Mintz Levin’s Privacy & Security Practice.