ICO issues expanded guidance on Processor Contracts and GDPR

The Information Commissioner has added significant details to what should be included in processor contracts.

  • The ICO has also said that if organisations haven’t already done so, they must ensure any contracts which were in place as of 25 May 2018 meet the GDPR’s requirements.
  • Organisations need to check their existing contracts to make sure they contain all the required elements. If they don’t, the ICO says it’s essential to either amend existing contracts or get new contracts drafted and signed, and to review all template contracts in use.  
  • The Information Commissioner has also issued additional guidance on the rights and responsibilities of controllers and processes.

It would also be prudent for organisation to make sure their processors understand the reasons for the changes and the obligations that the GDPR puts on them. They may be directly subject to an administrative fine or other sanction if they do not comply with its obligations.  They may wish to confirm that their existing and any new contracts adhere to the following:

Contracts must set out:

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subject; and
  • the controller’s obligations and rights.

Contracts must also include specific terms or clauses regarding:

  • processing only on the controller’s documented instructions;
  • the duty of confidence;
  • appropriate security measures;
  • using sub-processors;
  • data subjects’ rights;
  • assisting the controller;
  • end-of-contract provisions; and
  • audits and inspections.

Controllers must only use processors that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their processing will meet GDPR requirements and protect data subjects’ rights.

Controllers are primarily responsible for overall compliance with the GDPR, and for demonstrating that compliance. If this isn’t achieved, they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR. If a processor fails to meet its obligations, or acts outside or against the controller’s instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

A processor may not engage a sub-processor’s services without the controller’s prior specific or general written authorisation. If authorisation is given, the processor must put in place a contract with the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those in the contract between the controller and processor. Processors remain liable to the controller for the compliance of any sub-processors they engage.

For subscribers to the ELR DPO Service, full details of the new advice from the ICO is set out in the expanded “Processor Contracts” section of our Members Only FAQs