People entering and exiting the building.

ICO issues draft guidance on contracts between data controllers and data processors

Published on 18 December 2017

What must be included within a contract between a data controller and a data processor to ensure compliance with the General Data Protection Regulation (GDPR)?

The background 

The GDPR significantly alters the balance of obligations, responsibilities and liabilities  between controllers and processors of data. It mandates that when a controller uses a  processor, it must have a written contract in place covering data security and all key aspects  of the relationship. 

The development 

The Information Commissioner’s Office (ICO) has issued draft guidance to assist  organisations in preparing or updating their controller/processor contracts. The ICO confirms  its interpretation of the GDPR, and provides a general recommended approach to ensure  compliance. 

The ICO outlines that, as per the GDPR, controller/processor contracts must set out:

  • the subject matter and duration of the processing 
  • the nature and purpose of the processing 
  • the type of personal data and categories of data subject, and 
  • the obligations and rights of the controller. 

Further, the following mandatory minimum terms must be included, requiring the processor to: 

  • only act on the written instructions of the controller 
  • ensure that people processing the data are subject to a duty of confidence 
  • take appropriate measures to ensure the security of processing 
  • only engage sub-processors with the prior consent of the controller and under a written contract 
  • assist the controller in allowing data subjects to exercise their rights under the GDPR 
  • assist the controller in meeting its GDPR obligations, and 
  • delete or return all personal data to the controller as requested at the end of the contract. 

The ICO also outlines the key responsibilities of each party. Controllers, for instance, will  ultimately be responsible for ensuring that personal data is processed lawfully – regardless of  the use of a processor, the controller may be subject to any of the sanctions set out in the  GDPR. In a similar vein, if processors act outside the documented instructions of a controller,  they will be considered a controller and be subject to the same liabilities and sanctions. Subprocessors  won’t escape the responsibilities either – their contracts must contain the same  legal obligations as set out in the main contract. 

Another difference is that processors now have direct responsibilities and obligations under  the GDPR, outside the terms of the contract. Processors can be held directly responsible for  non-compliance with these obligations, or the contract terms, and may be subject to  administrative fines or other sanctions and liable to pay compensation to data subjects. 

Why is this important? 

Although the requirement for controller/processor contracts is not new (and, indeed, already  considered good practice by most organisations) the level of detail and mandatory terms  outlined by the GDPR represent a significant change. 

Any practical tips? 

Contracts in place on 25 May 2018 will need to meet the new GDPR requirements – so now is  the time to check whether your current agreements contain all the necessary elements. The  changes required by each organisation will be dependent on how the business’ contracts  currently deal with data protection.