In many trading relationships, there will be a flow of data from one business to another – and where that data consists, wholly or partly, of ‘personal data’, the law requires certain provisions to be included in a written agreement. And since the implementation of the GDPR, those ‘data processing clauses’ have become, out of necessity, rather lengthier than they once were.
Definition under the GDPR
Where a data processor carries out any processing on behalf of a data controller, the data controller does not comply with the GDPR unless there is a written contract between the two parties that includes, as a minimum, the following clauses:
- a summary of the subject-matter of the data;
- the length of time that the processing will continue;
- the nature and purpose of the processing;
- the type(s) of personal data that will be processed;
- the categories of data subjects whose personal data will be processed;
- a statement of the obligations and rights of the data controller;
- the data processor must only act on the data controller’s documented instructions;
- that the data processor must ensure all of its personnel who access the data are subject to appropriate confidentiality obligations;
- the data processor will comply with the requirements in the GDPR regarding security measures and encryption;
- the data processor must assist the data controller in dealing with requests from data subjects, dealing with data breaches and conducting impact assessments;
- the data processor must delete or return (at the data controller’s choice) all personal data at the end of the contract, or when the need for processing ceases;
- the data processor must provide any information the data controller requests in order to demonstrate compliance with the GDPR, and to allow the data controller to audit and inspect the data processor’s compliance
- the data processor must not delegate the processing to a sub-processor without the data controller’s written consent (and then only on the basis of a written agreement which contains similar terms to the list above)
What does the GDPR definition really mean?
Much like before, there must still be a written contract when one business processes personal data on behalf of another business, but even a ‘basic’ clause will now be far longer and more detailed, often running to a couple of pages of text.
In addition, a data controller is only permitted to use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in order to meet the requirements of the GDPR, and protect the rights of the data subject. Examples of factors to be taken into account when assessing a processor’s suitability include:
• the extent to which the processor can demonstrate compliance with industry standards (if applicable);
• whether they have sufficient technical expertise to assist the controller in fulfilling their obligations under the GDPR;
• whether or not the processor can demonstrate adherence to an approved code of conduct or certification scheme.
What must my business do to ensure compliance?
First, identify every single relationship your business has with suppliers, customers, outsourcers, contractors, agents, resellers, distributors, etc, where either you disclose any personal data to them, or they disclose any personal data to you.
Secondly, for each of those relationships, identify whether you are the data controller, or you are the data processor. It is likely that you will want to agree a slightly different data clause depending on the answer – as a data controller, you’ll inevitably want to shift as much burden onto the data processor as possible, but as a data processor, you’ll want the data controller to be fully responsible for compliance with the law.
Finally, identify whether there is an existing contract in writing between the two parties. If there is an existing contract, then you have to agree an amendment to that contract (which shouldn’t be a problem in principle, as the other party should also be keen to amend that contract to comply with the GDPR). If you do not have an existing contract, then you have to enter into a written agreement, ensuring that the agreement includes the required data clause.
It may be that, dependent on timing, you can use the ‘standard clauses’ published by the European Commission or the UK Government.
Any and all contracts that you enter into that involve a flow of personal data should include a suitable data clause that complies with the GDPR.
My business doesn’t really bother with written contracts – is that a problem?
Ignoring the wider issues of not recording an agreement in writing, and concentrating purely on the data elements – the answer is ‘it depends’. If you use a processor to process any personal data (including such basic data as an individual’s name and contact details) on your behalf, or you are a processor operating under a controller’s instructions then there must be a short agreement in writing. A failure to have a written contract will put both parties in breach of the GDPR.
Ok, I’ll have a written agreement if I must – but can it cover just the data clause?
Yes, in theory. The rest of the contract could be unwritten, if you wanted (although there are wider risks associated with not recording an agreement in writing).
Every agreement must contain a data clause?
No. Only contracts where there is a flow of data from one party to the other and the relationship between the parties is one of controller and processor.
Why do I need to work out whether I’m a data controller or a data processor?
Unlike under the old regime, the GDPR applies to both data controllers and data processors. Based on that fundamental principle, a data controller will inevitably want to shift as much burden onto the data processor as possible, seeing it as an opportunity to delegate its responsibilities. If you are the data controller, then that may be your valid objective. But on the other hand, as a data processor, you’ll want the data controller to be fully responsible for compliance with the law, and you’ll not want to accept any additional responsibilities for compliance other than those imposed directly under the GDPR. It is probably sensible, therefore, to have two ‘standard’ data clauses that you can use, depending on the particular situation.
So now, I’ve really got to include everything in the list above in my contracts where I disclose or receive any personal data? What if I don’t?
Yes, you do. That’s what the GDPR requires. If you don’t then, in theory, both parties could be fined up to €20 million or 4% of annual global turnover (whichever is greater). And if any data subject can demonstrate that they’ve suffered damage (even minor damage to reputation) as a result of your non-compliance, that data subject can bring a claim for compensation against you.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- Data processor means the person/business that processes personal data on behalf, and in accordance with the instructions, of a data controller.
- Data subject means the living individual that is identified, or can be identified, from the personal data.
- GDPR means the General Data Protection Regulation, the EU law that effectively replaced the Data Protection Act 1998.
- Personal data means any data from which a living person can be identified.
- Process means to do just about anything with personal data, e.g. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.