October 19, 2017

October 19, 2017

Subscribe to Latest Legal News and Analysis

October 18, 2017

Subscribe to Latest Legal News and Analysis

October 17, 2017

Subscribe to Latest Legal News and Analysis

October 16, 2017

Subscribe to Latest Legal News and Analysis

ICO’s consultation on the draft GDPR guidance on contracts and liabilities between controllers and processors

On 13 September 2017, the UK Information Commissioner’s Office (ICO) published draft guidance on contracts and liabilities between controllers and processors under the GDPR.

The draft guidance does not add substantial detail to the provisions of the GDPR but is a useful reminder of the key points. For example, it highlights the requirement for a written contract between the controller and any of its processors and summarises the provisions that the GDPR states must be included in the contract, specifically:

  • The subject matter and duration of the processing

  • The nature and purpose of the processing

  • The type of personal data and categories of data subjects

  • The obligations and rights of the controller

  • The obligations of the processor to:

    • Only act on the written instructions of the controller

    • Ensure that people processing the data are subject to a duty of confidence

    • Take appropriate measures to ensure the security of processing

    • Only engage sub-processors with the prior consent of the controller and under a written contract

    • Assist the controller in responding to data subject requests to exercise their rights under the GDPR

    • Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments

    • Delete or return all personal data to the controller as requested at the end of the contract

    • Submit to audits and inspections and provide the controller with any information to demonstrate compliance with its processor obligations under the GDPR. Processors are under an obligation to inform the controller if the instructions to the processor are in infringement of the GDPR or other data protection law.

It is unlikely that current controller-processor contracts will cover all of these points, so existing contracts will need to be reviewed and updated to address these requirements.

One of the biggest changes that the GDPR brings is that processors have direct responsibilities and obligations under the GDPR beyond the terms of their contracts with controllers. In particular, processors may be liable for fines and to pay compensation for non-compliance with specific processor obligations under the GDPR or where they act outside or contrary to the lawful instructions of the controller.   However, the draft guidance also reminds controllers that they retain ultimate responsibility for ensuring that data is processed in a compliant manner even if they appoint a processor to process data on their behalf and that they will only be exempt from liability under the GDPR if they prove that they were ‘not in any way responsible for the event giving rise to the damage’ resulting from non-compliant processing.

Consultation on the draft guidance closes on 10 October 2017, so businesses that wish to push the ICO to provide greater clarity should submit comments to the ICO in the next couple of weeks.

© Copyright 2017 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Asel Ibraimova, Squire Patton, Media Industry Lawyer, data controllers attorney
Associate

Asel Ibraimova is an associate with expertise in European data protection matters.

Asel has worked in the healthcare industry and media industry, representing the interests of both data controllers and data processors. She has advised on methods of international transfer of personal data, on data protection issues related to the launch of websites, apps, mobile devices and online personalization services. She has negotiated data protection contracts with major online service providers, including cloud providers. Asel has drafted data protection...

44-227-655-1208
James Stuart, UK, SPB, IP
Partner

Stuart is a partner in our Intellectual Property & Technology practice in Birmingham. He advises on a wide range of commercial and IT contracts, including major distribution, logistics, outsourcing, shared services and joint ventures.

He has particular expertise in advising on the procurement and supply of IT systems and IT outsourcing arrangements as well as website and software development, hosting and licensing, software as a service (SAAS), open source software, cloud computing, e-commerce and data security matters. In addition, he drafts and advises clients on contracts for the supply and procurement of goods and services of all types, including specialist supplies to utilities, manufacturing businesses, recycling schemes, retailers, healthcare providers, the defence industry and IT suppliers.

Stuart is a member of the Society for Computers & Law and also works as a supervisor and advisor at the Birmingham Legal Advice Clinic, part of the LawWorks charity group, providing a drop-in centre for free legal advice on simple debt, benefits and consumer issues to people in the West Midlands.

44-121-222-3645