Guidance on Data Controller to Data Processor contracts
The Data Protection Commission have just released a short guidance document on what needs to go into a Data Controller to Data Processor contract in line with GDPR requirements. Firstly, the contract must be a legally binding document and secondly, it must state what the exact data processing requirements will be.
The Data Processor will agree to only process personal data in line with what is detailed in the contract and it is the responsibility of the Data Controller to ensure that the Data Processor complies with GDPR and has robust technical and organisational measures in place to protect the privacy rights of individuals.
There are a number of mandatory provisions that must be included in the contract between a Data Controller and a Data Processor. At a minimum these need to include:
- The subject matter, duration, nature and purpose of the data processing;
- The type/s of personal data being processed;
- The categories of data subjects whose personal data is being processed;
- The obligations and rights of the Controller;
- The Processor will only process personal data in line with the documented instructions from the Controller unless a legal requirement overrides this;
- Processing of personal data is subject to a duty of confidentiality;
- The Processor takes all measures to implement and ensure that appropriate technical and organisational measures are in place to protect the personal data received from the Controller;
- The Processor obtains either specific authorisation or general written authorisation from the Data Controller before engaging any sub-processors that may process the personal data on behalf of the Controller. In addition, the Controller has the right to object in advance to any sub-processor being appointed by the Processor;
- That any approved sub-processors engaged by the Processor are subject to the same data protection obligations as the Processor and that the Processor remains directly liable to the Controller for the performance of a sub-processor’s data protection obligations;
- The Processor assists the Controller in responding to data subject rights’ requests in line with GDPR;
- The Processor assists the Controller to comply with and report data breaches in line with GDPR and where relevant, assist with data protection impact assessments
- When the contract between the Data Processor and Data Controllers terminates, that the Processor deletes or returns the personal data received from the Controller;
- That the Processor makes available to the Controller all information necessary to demonstrate compliance and that the Processor allows for and contributes to audits conducted by the Controller or a third party on the Controller’s behalf.
Other provisions that could be included in the contract between a Data Controller and Data Processor may include the following:
- Liability provisions (including indemnities);
- Detailed (technical) security provisions; and/or
- Additional cooperation provisions between the Controller and Processor
As this is a legally binding document, SFA recommends that you obtain legal advice before issuing or signing a contract between a Data Controller and a Data Processor as we can only provide guidance and advice in this area.
If you would like more information on GDPR or to discuss your requirements further, please contact Helen at SFA on 01 6051668 or at firstname.lastname@example.org or visit our GDPR section on www.sfa.ie/advice