Any business that is subject to the EU General Data Protection Regulation (GDPR) as a Controller will need to have in place an appropriate contract with any other Controller that it jointly shares data with if that Controller particularly is outside the EU. More importantly any Controller that is subject to GDPR will need to have in place an appropriate Data Processing Agreement with any third party that it shares data with where that third party is a Processor as defined under GDPR.
GDPR applies to both Controllers and Processors that are established in the EU (e.g. have EU legal entities) but also to any Controller and Processor not located in the EU, where the processing activities are related to either the offering of goods or services to data subjects in the EU (irrespective of whether a payment is required) or the monitoring of the behaviour of individuals as far as such behaviour takes place within the EU.
Many Processors are offering hosted or cloud services which are not EU located but which clearly cause the Processor to be caught by GDPR. Controllers or Processors not established in the EU, but where they are caught by GDPR, must designate in writing a representative. That representative must be established in a member state where the data subjects whose data are being processed by the Controller or Processor are located (or where most of them are located).
The appointment of a representative means that all data protection issues from data subjects or data protection authorities will be addressed to that representative but the appointment of the representative does not affect the responsibility and liability of the Controller nor Processor under GDPR.
GDPR is quite specific about the duties of the Controller and the Processor and indeed Article 28 (3) of GDPR stipulates that there must be a contract in writing between the Controller and Processor which clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data, any particular special categories of data and the obligations and rights of both parties.
Failure to have in place a suitable Data Processing Agreement is a breach of the law under GDPR and therefore Controllers should be carrying out an audit of their existing contracts with Processors to establish if those contracts already comply with GDPR and in addition putting in place due diligence and procurement requirements in respects of contracts that are going to be entered into to which GDPR will apply.
Articles 28 – 36 set out issues that must be addressed in the Data Protection Agreement which include that:
- The Processor must have adequate information security in place;
- The Processor must not use sub Processors without consent of the Controller;
- The Processor must cooperate with the relevant Data Protection Authorities in the event of an enquiry;
- The Processor must report data breaches to the Controller without delay;
- The Processor may need to appoint a mandatory Data Protection Officer;
- The Processor must keep records of all processing activities;
- The Processor must comply with EU trans border data transfer rules ;
- The Processor must help the Controller to comply with data subjects rights;
- The Processor must assist the Data Controller in managing the consequences of data breaches;
- The Processor must delete or return all personal data at the end of the contract at the choice of the Controller; and
- The Processor must inform the Controller if the processing instructions infringe GDPR.
The urgent action for Controllers right now is to ensure that in respect of Data Processing Agreements.. –
- There are documented instructions;
- There is evidence of due diligence by the Controller over the suitability of the Processor in respect of the types of personal data being processed;
- There are suitable confidentiality clauses in the Agreement;
- The Processor has adequate information security in place;
- The contract manages the downline use of sub Processors.
- The contract puts in place measures for the Processor to