Many organisations will pass on personal data on their employees, clients, members or customers to an outside business to help with such areas as mailing newsletters, IT support or marketing.
What does GDPR require?
- Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller), the controller needs to have a written contract in place. GDPR makes written contracts between controllers and processors a requirement.
- GDPR sets out what terms need to be included in the contract.
- These terms are designed to ensure that processing carried out by a processor meets all the requirements of GDPR (not just those related to keeping personal data secure).
- Controllers are liable for the processor's compliance with GDPR and must only appoint processors who can provide 'sufficient guarantees' that the requirements of GDPR will be met and the rights of data subjects protected.
- Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under GDPR and may be subject to fines or other sanctions if they do not comply.
- The contract is important so that both parties understand their responsibilities and liabilities.
When is a contract needed?
Whenever a controller uses a processor it needs to have a written contract in place. Similarly, if a processor employs another processor it needs to have a written contract in place.
What must be included in the contract?
Contracts must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller. Contracts must also include as a minimum the following terms, requiring the processor to:
- only act on the written instructions of the controller
- ensure that people processing the data are subject to a duty of confidence
- take appropriate measures to ensure the security of processing
- only engage sub-processors with the prior consent of the controller and under a written contract
- assist the controller in providing subject access and allowing data subjects to exercise their rights under GDPR
- assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
- delete or return all personal data to the controller as requested at the end of the contract
- submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their GDPR obligations, and tell the controller immediately if it is asked to do something infringing GDPR or other data protection law of the EU or a member state
- co-operate with supervisory authorities (such as the ICO)
- keep records of processing activities
- notify any personal data breaches to the data controller
- where necessary employ a data protection officer.
How can Affinity Resolutions Help?
We understand the needs of an organisation to use an outside business. With our unique legal, practical and marketing approach we will ensure that we create for you a bespoke agreement which both meets the GDPR and allows you to carry on your business as you wish