Contracts and liabilities between controllers and processors under GDPR
The draft guidance aims to help data controllers and data processors understand their roles
In September, the ICO opened a consultation period on its draft guidance, which provides practical guidelines for UK organisations on contracts between data controllers and processors under the GDPR.
The draft guidance includes an overview of the mandatory provisions that will need to be in place between controllers and processors from May next year, and stresses the requirements of their statutory obligations.
The guidance aims to help both parties to understand their roles and to find compromising solutions for them to be able to have the mandatory provisions in place. It is also seeking UK organisations' views as to whether the guidance provides the level of detail and clarification that they need to properly address this requirement.
The consultation closed yesterday, and despite that the guidance may not provide sufficient details on every single point. However, it does include a lot of useful content that can be easily understood and followed, e.g. a controller and processor contracts checklist.
What are the current obligations?
The Seventh Principle of the Data Protection Act 1998 places an obligation on controllers for them to ensure:
- that they have chosen a processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing of data - meaning an IT security audit needs to be carried out; and
- that they have put in place a written contract stating that the processor will only act under the instructions of the controller and that they comply with data security obligations equivalent to those imposed on the controller.
The GDPR regime - updates that are opening discussion
The GDPR enhances the current obligations and includes a set of mandatory provisions that need to be included in the agreements between data controllers and processors. These provisions are not new; in fact, many data protection practitioners have been using them for years to clarify positions and minimise risks. However, the fact of this becoming mandatory is opening new points of discussion between parties that require special attention; for example regarding additional fees, the extent to which both parties will collaborate with each other and identifying what data fits into the category of "being processed on behalf of the controller", amongst other things.
In light of this, many organisations are struggling to understand who would be responsible if one of the parties does its best to renegotiate a current agreement and the other party refuses to do so. Initially, you may conclude that the party refusing would be the responsible or liable one. However, the obligation of having suitable provisions in place is the controller's responsibility under the GDPR.
It seems that each case where parties do not find a compromising solution should be analysed on a case-by-case basis. This has raised concerns among controllers, as it may be difficult to simply change provider if they already have invested most of their budget on an existing contract. Would they be given more time - for example, the extension of the period that for certain cases would apply under Recital 171 of the GDPR - to find a solution without breaching the regulation?
We hope to hear more about this and other concerns related to this topic from both the ICO and the Article 29 Working Party.
In the interim, organisations will generally find the ICO's draft guidance useful to the extent that it explains why contracts between controllers and processors are important; it makes a distinction between what content is mandatory and what provisions are recommended for good practice. It also clarifies the processors' contractual obligations and what their direct responsibilities are under the GDPR - the understanding of which is crucial for service providers.
Rocio de la Cruz is principal associate at Gowling WLG