Whenever a controller uses a processor, there must be a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities.
The UK GDPR sets out what needs to be included in the contract.
If a processor uses another organisation (i.e. a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor also. Permission is needed from the Controller for such an appointment. Any appointment of a sub-processor without permission would be a breach of contract.
So, what does a Data Processing Agreement deliver?
A correctly and well written agreement will state what data is to be processed and for how long and much more. Here is a useful checklist:
- The subject matter of the processing
- The duration of the processing
- The nature and purpose of the processing
- The type of personal data involved
- The categories of data subject
- The controller’s obligations and rights
The Data Processing Agreement, which is a contract, will include terms stating that:
the processor must only act on the controller’s documented instructions, unless required by law to act without such instructions;
- the processor must ensure that people processing the data are subject to a duty of confidence;
- the processor must take appropriate measures to ensure the security of processing;
- the processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract;
- the processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights;
- taking into account the nature of processing and the information available, the processor must assist the controller in meeting its UK GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- the processor must delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage; and
- the processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.
What responsibilities and liabilities do processors have in their own right?
In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the UK GDPR. If a processor fails to meet its obligations, or acts outside or against the controller’s instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
A processor may not engage a sub-processor’s services without the controller’s prior specific or general written authorisation. If authorisation is given, the processor must put in place a contract with the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those in the contract between the controller and processor. Processors remain liable to the controller for the compliance of any sub-processors they engage.
The Bottom Line
We hear too many tales of a relationship with a processor ending badly and the processor deleting your data. This is quite common, sadly.
Your Data Processing Agreement MUST dictate what happens to your data at the end of the agreement, or contract. The agreement must ensure that data is retuned or deleted if appropriate and recorded in line with the regulation.
However, be careful, a contract must end amicably with all invoices paid so that the processor cannot use your data as a lever to gain payment. The rules of the contract must be set out in such a way that protects data primarily as well as the controller. The processor must not be allowed to simply delete data because a commercial agreement has ended or because of a dispute.