ICO issues expanded guidance on Processor Contracts and GDPR

It would also be prudent for organisation to make sure their processors understand the reasons for the changes and the obligations that the GDPR puts on them. They may be directly subject to an administrative fine or other sanction if they do not comply with its obligations.  They may wish to confirm that their existing and any new contracts adhere to the following:

Contracts must set out:

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subject; and
  • the controller’s obligations and rights.

Contracts must also include specific terms or clauses regarding:

  • processing only on the controller’s documented instructions;
  • the duty of confidence;
  • appropriate security measures;
  • using sub-processors;
  • data subjects’ rights;
  • assisting the controller;
  • end-of-contract provisions; and
  • audits and inspections.

Controllers must only use processors that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their processing will meet GDPR requirements and protect data subjects’ rights.

Controllers are primarily responsible for overall compliance with the GDPR, and for demonstrating that compliance. If this isn’t achieved, they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR. If a processor fails to meet its obligations, or acts outside or against the controller’s instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

A processor may not engage a sub-processor’s services without the controller’s prior specific or general written authorisation. If authorisation is given, the processor must put in place a contract with the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those in the contract between the controller and processor. Processors remain liable to the controller for the compliance of any sub-processors they engage.

For subscribers to the ELR DPO Service, full details of the new advice from the ICO is set out in the expanded “Processor Contracts” section of our Members Only FAQs