This article has been written by Arun Nair pursuing the Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from LawSikho. This article has been edited by Dipshi Swara (Senior Associate, Lawsikho).

Introduction

The General Data Protection Regulation (GDPR), is the yardstick law of the European Union for the protection of privacy of an individual, which came into force on 25 May 2018. The regulation introduced a higher duty for the data controllers and data processors. One of the main duties of controllers and processors is to enter into a legally binding contract governing the processing of personal data when a processor is engaged by the controller and instructed to process personal data. The contract is important so that both parties understand their responsibilities and liabilities. This article outlines in brief, the obligations of the data controllers and data processors, to enter into a contract under the GDPR, and the provisions which should be included in such a controller-processor contract.

Processing under GDPR

Under the GDPR, both the controllers and processors are subject to several enhanced obligations. Processors, for example, must only process personal data upon the receipt of written instructions from the controller. A data controller on the other hand has the responsibility to define the purpose and means of the processing of personal data.

Article 4(2) defines processing as – “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storing, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Thus, the data controllers and data processors shall enter into a legally binding contract whenever a controller engages a processor for processing personal data on its behalf.  Further, the GDPR stipulates that controllers should engage only such processors which provide sufficient guarantees to implement appropriate technical and organizational measures to comply with GDPR and to protect the rights of data subjects.

Both these parties should bear in mind that there are multiple other conditions that the GDPR imposes directly on them such as – record keeping, ensuring security of processing etc. These direct responsibilities will apply to the data controllers and data processors in addition to any contractual obligation which they may be subject to under the data processing contract. Similarly, in case the parties are found in breach of the GDPR, they may be liable to fines and other penalties in addition to being in breach of the contract to which they are a party.

Who are data controllers & data processors?

Data controllers

As per Article 4(7) of GDPR, controllers are “any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes, and means of the processing of personal data.” The data controller has to implement appropriate measures, depending upon the risk and severity posed by the processing, to ensure and demonstrate that processing is performed in accordance with the regulation.

Data processor

Article 4(8) of GDPR defines a processor as “any natural person or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

1. Further, Art.(28)(1) states that, if a ‘data controller’ engages a ‘data processor’ for processing personal data, the controller shall ensure that the processor enact necessary technical and organizational measures in a manner that it meets the requirements of the legislation and safeguards the rights of data subjects.
2. No processor can engage the services of another processor without the specific written approval of the data controller and such processor shall state to the controller, all intended changes that may occur with the inclusion or substitution of other processors.
3. Data Processing agreements are binding on the data processors and set out the subject matter, duration, purpose and nature, type of data and rights and obligations of the data controllers under the contract.
4. The contract or other legal act further stipulates in particular that the processor:

1. Shall process data only on instruction of the controller including transfers to third country or an international organization;
2. Shall ensure confidentiality of the personal data;
3. Shall ensure safety and security of the personal data;
4. Shall agree to conditions for engaging another processor;
5. Shall assist in audits conducted by the controller and also in ensuring compliance to controller’s obligation to respond to data subjects who exercise their rights provided under the GDPR;
6. Shall at the instruction of the controller, delete, return all the personal data once services are over.

When are data processors used?

It is common practice for a data controller to engage a data processor to process personal data on its behalf. For instance, a specialist private company supplies an application or software to process the records of a public school in lieu of certain fees, a public institution engages a private company to carry out analysis and to administer social benefits to its population.

Overview of the important clauses the contract must include

All data controllers who appoint data processors to process personal data on their behalf are obliged to enter into a data processing contract. This condition is mandatory for controllers and processors in both private and public sectors and any processing contract should, at the minimum, contain the following details according to Article 28(3):

• The subject matter, nature and purpose, duration of the processing;
• The kind of personal data processed;
• The categories of data subjects;
• The rights and duties of the controller.

The following clauses that must, particularly be included in the contract are as follows:

• Processing only on instructions of the controller.
• Confidentiality.
• Security measures.
• Using sub-processors.
• Rights of Data subjects.
• Assisting the controller.
• End-of-contract.
• Inspection & Audit.

These are the standard clauses put forward in the GDPR, however, the controller and processor may decide to substitute them with their own terms. 

1. Instructions for Processing

Under Article 28(3)(a) the contracts must include that the processor may only process personal data upon receiving instructions from the controller. Instructions can be documented using any written form capable of being saved for records, including email.

“The Parties agree that the processor shall process personal data only in accordance with the written instructions of the Controller. Additional instructions outside the scope of the written instructions required written agreement between the Parties. Controller is entitled to terminate the Agreement if Processor declines to follow the instructions requested, statutory or otherwise, by the Controller under this DPA, the processor shall then be treated as a controller in respect of that processing and will have the same liability as a controller.”

2. Confidentiality

The contract must include a confidentiality clause that states that the processor must ensure confidentiality of personal data, from everyone it allows to process the personal data. This contract should cover the processor’s employees and agents who have access to personal data.

“The Processor will not access or use, or disclose to any third party any personal data, except, as necessary to comply with the law or a valid binding order of the governmental body. If the governmental body sends the Processor a demand for personal data, the Processor shall attempt to redirect the governmental body to request data directly from the Controller. To achieve this the Processor may provide the Controllers basic contact information to the governmental body. Further, the Processor restricts its personnel from processing personal data without prior approval from the Controller and imposes contractual obligations upon its personnel regarding confidentiality, data protection and data security.”

3. Appropriate security measures

The contract requires the processor to take all security measures, both technical and organizational, important to meet the condition of Article 32 on the security of personal data being processed.

“The processor shall implement and will maintain adequate technical and organizational measures in compliance with the provisions of the GDPR in relation to the personal data. Such technical and organizational measures include pseudonymisation, encryption, backup and archiving for restoration, and regular testing, assessing and evaluation of the success of the technical and organizational measures adopted by the processor chosen by the controller. The processor shall notify the controller of a security incident without any undue delay after becoming aware of the security incident and take reasonable steps to mitigate the effects and minimise any damage.”

4. Using sub-processors

Article 28(3)(d) states that the processor should not engage another processor (a sub-processor) without the controller’s prior written authorisation, to give the controller a chance to object to it. The processor shall be liable to the controller for any sub-processor’s compliance with its data protection obligations.

“The controller agrees that the processor may use sub-processors to fulfil its obligations under the contract or to provide certain support services on its behalf. The processor shall inform and give notice to the controller at least 30 days before the processor engages the sub-processor. The processor shall restrict the sub-processors access to personal data only to what is necessary to maintain service and prohibit for any other purpose; enter into a written agreement with the sub-processor and impose the same contractual obligation that the processor has under its DPA; the processor shall remain responsible for its compliance of this DPA and for any acts or omissions of the sub-processors that cause the processor to breach any of the processors obligations.”

5. Data subjects’ rights

Under Article 28(3)(e) considering the nature of the processing, processor’s shall assist the controller by implementing technical and organisational measures, as far as possible, for fulfilling the obligation of the controller, to respond to the requests raised by the data subjects. 

“The processor offers the controller to comply with its obligation towards its data subjects. Should a data subject contact the controller with regard to correction or deletion of rectification or erasure of its personal data, the processor shall use commercially reasonable efforts to fulfil such requests or forward such requests to the controller.”

6. End-of-contract provisions

Under Article 28(3)(g) the contract must say that at the end of the contract the processor shall promptly from the date of cessation of agreement involving the processing of personal data shall delete and procure the deletion of all copies.

“The controller has control to retrieve or delete the personal data from the possession of the processor. Following the termination of the agreement, the processor consents to delete and/or return any personal data, held in its possession for rendering of services in accordance with this agreement, as requested by the controller.”

7. Audits and inspections

Processor is required to make available to the Controller all information necessary to prove compliance, and shall allow and contribute to audits, including inspections, by an auditor in relation to the processing of the personal data by it under Article 28 of the regulation.

“The controller agrees to exercise any right it may have to conduct an audit or inspection of the processor. In the event, the processor declines to follow any instruction requested by the controller regarding audits and inspection, the controller is entitled to terminate this DPA and the agreement.”

Conclusion

If you are a controller who has engaged processor(s) to process personal data on your behalf or if you are a processor who has been engaged by controller(s), one should ensure that you have a legally binding contract governing this data processing arrangement.

Parties to the contract should corroborate that they are up to date and fully in compliance with the GDPR, and that they contain the provisions mandatorily required under the regulation.

References

1. https://www.dataprotection.ie/sites/default/files/uploads/2019-06/190624%20Practical%20Guide%20to%20Controller-Processor%20Contracts.pdf
2. https://tresorit.com/blog/everything-you-need-to-know-about-a-data-processing-agreement/
3. https://medium.com/golden-data/what-must-a-contract-between-a-controller-and-a-processor-include-under-gdpr-12593fa826d5
4. https://gdpr-info.eu/art-28-gdpr/.

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.