Tech & Sourcing @ Morgan Lewis


Earlier this month, the United Kingdom’s Information Commissioner’s Office (ICO) released an initial draft guide of contracting requirements and liabilities for data controllers and data processors doing business together under the General Data Protection Regulation (GDPR).

According to the ICO guide, any time a party that determines the purposes and means of the processing of personal data (Controller) uses a party that processes personal data on behalf of a Controller (Processor), a written contract between the parties is required. If a Processor uses a sub-Processor, the Processor shall be deemed a Controller and will be subject to the same requirements and liabilities as a Controller.

From a practical standpoint, if a party employs a third party to process personal data, there should already be a contract in place to comply with the Data Protection Act 1998, however, the GDPR sets forth specific terms that must be included in any such contract.

Under the GDPR, contracts must include the following:

  • Subject matter and duration of the data processing
  • Nature and purpose of the data processing
  • Type of personal data and categories of data subject
  • Obligations and rights of the Controller

Contracts also must require the Processor to do the following:

  • Act on written instructions of the Controller
  • Ensure that the individuals processing the data are subject to a duty of confidence
  • Take appropriate measures to ensure the security of the data it is processing
  • Engage sub-Processors only with the prior consent of the Controller and under written contract
  • Assist the Controller in providing data subjects access to their data and allowing them to exercise their rights
  • Assist the Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments
  • Delete or return all personal data to the Controller as requested at the end of a contract
  • Submit to audits and inspections, provide the Controller with information needed to ensure both parties are meeting their obligations, and notify the Controller immediately if asked to do something infringing the GDPR or other data protection law(s) of the European Union or its member states

Processors also have the following direct obligations:

  • Do not use a sub-Processor without the prior written consent of the Controller
  • Cooperate with supervisory authorities
  • Ensure security of data processing
  • Keep records of data processing
  • Notify the Controller of any data breaches
  • Employ a data protection officer
  • Appoint an EU representative in writing (if needed)

As we have noted in previous posts, the GDPR goes into effect on May 25, 2018.

For more information on whether your organization has appropriate measures in place, please contact the Morgan Lewis technology, outsourcing, and commercial transactions team.