What a GDPR-proof Data Processing Contract looks like

So you’ve got the terminology down and finally know who’s who under the GDPR -- which applies from today, writes Charlotte Gerrish, founding lawyer at data law consultancy Gerrish Legal.  

Now what you need, before you get handed one, is an understanding of a Data Processing Contract (DPC), including what your client – the Data-Controller -- is going to have parachuted into, to put in place between them (the ‘DC’) and you, the Data Processor (the ‘DP’).

Note; there’ll be some terms and jargon coming up that may be more pertinent to the DC. But as processors, you’d be wise to know the obligations weighing on your client/the DP, so you can better understand your position and see where there may be room for negotiation.

In any DPC -- from today onwwards, the DC needs to:

  • Ensure that the contract sets out the DP’s guarantees to implement appropriate technical and organisational measures.
  • Ensure that the DP is unable to subcontract data-processing activities without the DC’s specific consent.
  • Set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
  • Ensure that what the DP can do with personal data is limited to documented instructions from the DC, including with regard to transfers of personal data outside of the EEA or to an international organisation.
  • Impose confidentiality obligations on the DP and its staff or approved subcontractors;
  • Ensure that the DP is bound to assist the controller in ensuring compliance with the GDPR.
  • Ensure that the DP has instructions to either delete or return all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless the law states otherwise.
  • Impose an obligation on the DP to make available to the DC all information necessary to demonstrate compliance with the obligations laid down in the GDPR.
  • Ensure that the DP allows for (and contributes to) audits, including inspections, conducted by the DC or another auditor mandated by the DC.
  • Ensure that the DP and, where applicable, its representatives, are contractually bound to cooperate, on request, with the supervisory authority (i.e., the ICO in the U.K) in the performance of its tasks.

These obligations are set down in the text of the GDPR, so there is not a lot of room to negotiate the scope of DPCs or DPAs -- Data Processor Agreements. However, there are some points for IT contractors to take into account in order to protect their position.

  1. Be generally familiar with the GDPR and the obligations weighing on you as a professional who processes personal data on behalf of another organisation, and make sure your qualifications and infrastructure are up to scratch.
  2. Immediately inform the DC if, in your opinion, an instruction from the DC infringes the GDPR.
  3. As a matter of good practice, maintain a record of all categories of processing activities carried out on behalf of the DC (even if this is not strictly legally required for organisations with less than 250 staff, unless high risk data is processed).
  4. Only process data in accordance with clear and precise instructions from the DC.
  5. Negotiate limits to your liability where possible, including seeking appropriate insurance where applicable – while you have responsibilities, this does not mean that it is appropriate for you to act as a second insurance policy for your clients!

Remember -- it is really important to take a DPC and your roles as a DP seriously, because the GDPR states that if a processor infringes the GDPR for purposes and means of processing, then that DP shall be considered to be a DC – the controller -- in respect of that processing and will therefore be subject to fines and sanctions (as contained in the GDPR at Articles 82, 83 and 84).

If in doubt as to the contents of a Data Processing Contract or your responsibilities as a Data Processor, it is always worth seeking specialist legal advice. Remember, this is legislation you're dealing with -- and it's now in force!

Editor’s Note: This is the second instalment of a two-part GDPR guide by Gerrish Legal founding lawyer Charlotte Gerrish #legalbusinesspartner, who has more than 10 years of legal experience at international law firms and companies in London. This overview of GDPR is for guidance purposes only and does not constitute definitive legal advice.

Friday 25th May 2018