Controllers and processors: GDPR draft guidance on contracts and liabilities

David Gourlay

David Gourlay gives SLN readers the latest GDPR update ahead of its introduction next year.

The Information Commissioner’s Office (ICO) has published draft GDPR guidance on contracts and liabilities between controllers and processors. The paper, which is currently open for consultation until 10 October, aims to provide practical guidance and explain the fundamental requirements that all contracts between controllers and processors must meet by 25 May 2018 in order to be GDPR compliant. The guidance also seeks to help organisations understand the new responsibilities and liabilities of processors.

Under the GDPR, whenever a controller uses a processor (or whenever a processor appoints a sub-processor) they must have a written contract in place which meets minimum mandatory terms required by the GDPR.

The guidance begins by asking whether the need to comply with the mandatory requirements under Article 28 of the GDPR presents a “big change”. The answer to this question will depend on how an organisation’s existing contracts are drafted. There is no denying, however, that the requirements under the GDPR are wider than those currently required by the Data Protection Act 1998. For that reason, it is likely that almost all contracts will need to incorporate new provisions. This could present a substantial task for many businesses and it is important that organisations ensure they allow plenty time to agree these new contractual terms. The new obligations on processors, and the increased risk of fines and sanctions under the GDPR need to be considered carefully to ensure appropriate allocation of liability.

The guidance highlights that details of the scope and extent of the processing need to be clearly outlined, as the GDPR provides that each contract must include the following details about the processing:-

•    the subject matter and how long it is to be carried out for;

•    what processing is being done and its purpose;

•    the type of personal data and the categories of data subjects; and

•    the obligations and rights of the data controller.

The ICO state that the parties cannot use “very general or ‘catch all’ contract terms”. However, at present, it is unclear exactly how detailed these narratives will need to be.

The guidance also sets out and provides commentary on the minimum mandatory requirements, over and above which the parties may supplement with their own additional terms. The GDPR allows for standard contractual clauses to be issued by the EU Commission or a supervisory authority (such as the ICO). No standard clauses have yet been published and organisations will, therefore, need to draft their own ‘scope and extent’ and additional terms in the meantime.

In setting out the responsibilities and liabilities of controllers, the guidance highlights that controller “must only use a processor that can provide ‘sufficient guarantees’ in terms of its resources and expertise, to implement technical and organisation measures to comply with the GDPR and protect the rights of data subjects. Other than stating that processor adherence to potential future codes of conduct or certification schemes may serve as an aid for demonstrating compliance with this responsibility, the guidance provides no additional commentary on this point.

However, processors should prepare to face increased due diligence requests as it is ultimately up to the controller to satisfy themselves that the processor provides such “sufficient guarantees”. Unless they can prove that they were “not in any way responsible for the event giving rise to the damage”, controllers will be liable for non-compliant data processing.

Under the GDPR, processors will have direct responsibilities and liabilities beyond those which require to be expressly provided for in the contract. The guidance sets out the direct responsibilities and liabilities of processors and states that further guidance will be issued on a number of the responsibilities.

The ICO suggest that it is good practice to ensure that the processor understands these direct obligations and that parties may wish to explicitly cover these in the contract. For example, controllers may wish to include a clause specifying that nothing within the contract will relieve the processor of these direct responsibilities and liabilities and ensure that the contract reflects the extent of any agreed indemnity. The guidelines clarify that processors can now be liable where they have breached these direct obligations or where they have acted without the instructions of the controller. However, processors will not be liable if they can show that there were “not in any way responsible for the event giving rise to the damage”.

Following the consultation period, the guidance (which is supplemented by contracts and liabilities checklists) will undoubtedly serve as a useful aid in reviewing and updating current controller-processor contracts to ensure GDPR compliance and the key points to consider. Any template terms currently used by organisations will also need to be reviewed and amended accordingly and organisations will need to allow plenty time undertake the task of ensuring compliance ahead of May 2018.