The GDPR broadens and deepens the rules between data controllers and data processors for processing of personal data and for the first time, directly enforceable obligations are imposed on processors as well as controllers.
The GDPR also requires that controllers and processors enter into written contracts (“C2P Clauses”). Practical Law recently published its data processing clauses (GDPR version), designed by the writer and colleagues, to assist with this requirement. This blog post seeks to provide background to the many considerations behind the development of these clauses which will help the user understand their crucial compliance role.
Under the GDPR controller to processor contracts need to address the following eight requirements:
- The C2P Clauses must include details of (1) the subject-matter and duration of the processing, (2) the nature and purpose of the processing, (3) the type of personal data and categories of data subjects and (4) the obligations and rights of the controller (Article 28(3)).
- The processor must only process personal data on the documented instructions of the controller unless required to do so by member state or EU law (Article 28(3)(a)).
- The employees of the processor or other people authorised by the processor to process personal data of the controller are obliged – either contractually or otherwise pursuant to statute – to keep the personal data confidential (Article 28(3)(b)).
- The processor must implement appropriate technical and organisational measures to ensure an appropriate level of security is applied to the personal data processed by the processor (Article 28(c)).
- The appointment by the processor of a sub-processor must be made with the consent of the controller and the appointment of a sub-processor must meet minimum criteria (Article 28(3)(d)).
- The processor must assist the controller in complying with the controller’s obligations with respect to technical and organisational security measures, responding to subject access requests, breach notifications, impact assessments and consultations with authorities (Article 28(e) and (f)).
- The processor must return or delete personal data after completion of the processing (Article 28(g)).
- The processor must make available to the controller all information necessary to demonstrate compliance with these requirements and to allow audits and inspections (Article 28(h)).
The level of detail required of the C2P Clauses reflects the GDPR’s themes of transparency and accountability and raises the bar so that, at the very least, the same minimum contractual terms will apply to all processors.
To be completely compliant, companies must include all eight of these GDPR requirements in all contracts that deal with the processing of personal data, irrespective of the type of personal data being processed and the risks and potential damage that may result from a breach of the C2P Clauses or from non-compliance with the GDPR. There’s no derogation if, for example, the only data processed relates to (low risk, publicly known) corporate email addresses of employees of both contracting parties. Neither is there a requirement that additional or more restrictive terms be imposed on the processor if the contract involves bulk processing of personal data or processing of special categories of personal data.
This equal treatment of all types of personal data under C2P Clauses means that the language used to comply with Article 28(3) can range from relatively short form clauses to significant and detailed terms such as those prepared by the International Regulatory Strategy Group.
In mid-October, the ICO closed its consultation on GDPR guidance on contracts and liabilities between controllers and processors and it is to be hoped that ‘ICO approved’ C2P Clauses will be developed through this consultation process that balance genuine protection (in being sufficiently detailed to be useful) with workability (not being disproportionately lengthy or unwieldy) and are relevant and easily agreed and implemented by controllers and processors alike.
A key consideration, in the writer’s view, is that the clauses are likely to be relevant in many, if not a majority, of commercial contracting situations that touch on any aspect of data processing, so a degree of practical, ‘real-world’ proportionality needs to be achieved around the length of the clauses in relation to the contract as a whole.
This objective has informed our approach in preparing the data processing clauses (GDPR version) and we have looked to draft a set of C2P Clauses that can be used as a starting point by a variety of businesses in a variety of market sectors while balancing the need to comply with all requirements of Article 28(3) of the GDPR (on the one hand) with accessibility, workability and length (on the other). We have therefore made an implicit assumption that organisations will want wording that covers all eight requirements but is proportional to the nature of the personal data to be processed and the length of the overall agreement. We have also aimed to ‘future proof’ the C2P clauses we have prepared by including a term enabling the processor to replace the terms with applicable controller to processor clauses or certification scheme in line with Articles 28(6)-(8).
Although many existing contracts between controllers and processors will include some – but perhaps not all – of the above terms, organisations will need to review and potentially re-paper all contracts that involve the processing of personal information so that they include the more detailed C2P clauses that the GDPR mandates.
The activities required to comply with these obligations can require significant amounts of time and resources. It’s therefore important to create and implement processes and procedures for reviewing, amending and incorporating GDPR compliant C2P Clauses into existing and new contracts that may involve processing of personal data. This should involve:
- reviewing and recording case by case the nature and extent of activity carried out by processors to ensure that the contract contains appropriate information regarding the (1) the subject-matter and duration of the processing, (2) the nature and purpose of the processing, (3) the type of personal data and categories of data subjects and (4) the obligations and rights of the controller. This information can be included as a schedule to the agreement, and organisations should consider how they can standardise it across their operations.
- preparing template GDPR compliant C2P Clauses.
- reviewing existing contracts to identify gaps and non-compliant terms
- amending existing contracts to incorporate the new C2P Clauses or execute a separate standalone data processing agreement that is expressed to supersede any existing data processing terms and conditions.
- periodically reviewing compliance with new GDPR-compliant C2P Clauses and the GDPR’s requirements in relation to the appointment and activities of processors.
The use of standardised wording will assist both controllers and processors in complying with their obligations under the GDPR and should cut down the time required to complete the re-papering process.
If, however, re-papering existing terms is particularly resource intensive and the exercise is realistically unlikely to be completed before the GDPR becomes effective in May 2018, companies may wish to prioritise their relationships with processors who bulk process, or process higher risk, personal data and work to re-paper these relationship as quickly as possible while developing and following a project plan to re-paper all relationships by a specified date and time. While this approach may ease the burden on companies to manage the ‘bow wave’ of incremental work prior to 25 May 2018 (before it hopefully settles back to a lower level thereafter), it should be a last resort option because organisations adopting this approach will knowingly be in breach of their GDPR obligations, where they risk fines up to 2% of worldwide turnover or €10 million for non-compliant contractual terms.
Finally, longer standard C2P terms for bigger contracts are now starting to be published – such as those prepared by the International Regulatory Strategy Group – and these are worth reviewing for a different approach where deal size merits.