ICO guidance on contracts and liabilities between controllers and processors

What are the contractual liabilities and requirements of a data processor and a data controller under the GDPR?

The background

Before the GDPR, a data controller would typically have a contract in place with a data processor which would outline that the processor was secure and would be required to perform the controller’s demands.  The GDPR, however, has created an obligation for the parties to produce a more substantial contract with a set of further requirements.

The Information Commissioner’s Office (ICO) has released guidance aimed at assisting data controllers and processors in complying with the GDPR’s contract term requirements and by advising them on what their respective liabilities are.

The development

The obligation for a contract

Article 28(3) of the GDPR states that “Processing by a processor shall be governed by a contract or other legal act …”.

The ICO advises that, in the UK, using a written contract between the controller and processor in relation to its processing activities is the most suitable method of being in compliance with the GDPR.  The ICO provides that a direct contract is not necessary as long as the processor is contractually bound to the controller.  In addition, any agreement between a processor and a sub-processor must be confirmed in a written contract and must provide an equal level of protection for the data as that in the contract between the controller and processor.

Contract requirements

• The processor processes the personal data only on documented instructions from the controller (Article 28(3)(a)): the ICO informs that, provided that they are written and are in a form that is able to be saved, the documented instructions can be given separately.
• Those processing data must have committed themselves to confidentiality (Article 28(3)(b)): the guidance states that the confidentiality term in the contract should include all employees, including temporary and agency staffwho may be able to access the data.
• The processor must take all measures required pursuant to Article 32 (Article 28(3)(c)): the ICO determines these measures to include encryption and pseudonymisation, ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services and providing for regular testing and assessments of the effectiveness of the measures.
• The processor shall not engage another processor without prior specific or general written authorisation from the controller.In addition, if a processor contracts with a sub-processor, it should set out the same Article 28(3) requirements on that sub-processor (Article 28 (3)(d): the guidance clarifies that the actual contract wording need not be exactly the same as the contract between the controller and the processor but the contract should provide the same level of protection for the data.
• The processor, at the end of the agreement, must, on the controller’s instruction, either erase or return the processed data and also erase existing copies of the data unless the EU or Member State law provides otherwise (Article 28(3)(g)): the guidance, acknowledging that the deletion of data may not be able to happen immediately, proposes that data does not have to deleted immediately as long as there are the relevant safeguards, the period that it is kept is satisfactory and that the data is deleted in timely fashion.
• The processor must ‘make available to the controller all information necessary to demonstrate compliance’ with the Article 28(3) obligations and must also ‘allow for and contribute to audits, including inspections,’ undertaken by the controller or on behalf of the controller: the guidance recognises that there is no obligation imposed on the processor to keep records of the processing that is specifically conducted for the controller.However, there is an obligation for processors to keep a record of their processing activities.

Controller’s responsibilities and liabilities

• Art 28(1) states that a controller has the responsibility of ensuring that the processor can provide ‘sufficient guarantees’ to process and protect personal data in compliance with the GDPR: the guidance states that ‘sufficient guarantees’ could be determined by the processor's ability to help the controller comply with their obligations, breach notifications and DPIA’s as well as being compliant with industry standards and up to date with codes of conduct and certification schemes.The processor should also supply the controller with the other documentation such as record maintenance, security and privacy policies.These examples are not exhaustive.

As an individual can bring a claim against the controller, whom may then be subject to the fines and penalties under the GDPR, the ICO advises that they make sure they and their processors are fully compliant.  This is because a controller cannot be fined for a data breach where they can show they had been compliant and were not at all responsible.  In addition, if fined, a controller can claim a contribution from the processor if they were at fault.

Processor’s responsibilities and liabilities

As the GDPR does not specify that liabilities and responsibilities should be included in the contract, the ICO advises that controllers and processors should incorporate a term into their contracts stipulating exactly the responsibilities and liabilities for each party.

The processor can be liable if it has not complied with the GDPR, performed data processing without the controller’s instructions or against the instructions or have contracted a sub-processor who is at fault.

Why is this important?

The guidance is helpful in both explaining the specific terms which need to be incorporated into the controller/processor agreement and providing more practical advice.  

Any practical tips?

Controllers, processors and sub-processors should review their current contracts to ensure that they comply with the GDPR and that their responsibilities and liabilities are apportioned between the parties.