Tech & Sourcing @ Morgan Lewis


In Part 1 of this series, we looked at the prevalence of standalone data processing addendums (DPAs) as a means to comply with rules on engaging third-party outsourcers under the EU General Data Protection Regulation (GDPR). In particular, we focused on the risks associated with “one size fits all” precedence clauses. In this Part 2, we take a detailed look at some of the commercial issues arising from DPAs, the GDPR’s mandated contract requirements.

What’s the Issue?

Article 28 of the GDPR includes a set of mandated data processing clauses that are broader in scope than the contract requirements under previous EU data protection laws. In addition, despite the GDPR having been in force for more than six months now, it is still uncertain how regulators will interpret and enforce Article 28.

As a result, parties to outsourcing agreements can find themselves in protracted discussions around which party bears the cost of implementing Article 28. Below are some key areas of focus in the context of outsourcing agreements.

New and Expanded Data Subject Rights

Article 28(3)(e) requires suppliers to, “taking into account the nature of the processing, [assist] the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III.”

Many pre-GDPR outsourcing arrangements contained some sort of obligation on the supplier to flag data subject access requests to the customer. In business processing outsourcing (BPO) arrangements, these clauses often included general obligations to assist the customer in pulling together the information required to respond.

However, the GDPR considerably enhanced data subject rights, introducing additional or enhanced rights such as rights of erasure, rights of access to data, and rights to data portability. Suppliers are often concerned about the breadth of this obligation. For example, does the clause above require a supplier to make system or database changes to accommodate rights to data portability?

We have seen a number of suppliers of both complex outsourced services and more straightforward, commoditized arrangements take the stance that all such assistance is chargeable (usually by reference to agreed day rates or, in less sophisticated arrangements, to the supplier’s prevailing rate card).

However, in many cases, customers would benefit from pushing for a more nuanced approach, treating each of the following separately:

  • Basic data access request notices
  • Requests to cease processing
  • Requests for rectification of data
  • Requests for data portability

Suppliers may be more comfortable building in the cost of basic access requests (particularly under BPO arrangements where the supplier will have ready access to the information) than, say, addressing rights of data portability.

In addition, it is not uncommon for suppliers to agree to tiered charging arrangements whereby certain activities are provided at no additional charge, certain activities are provided on a cost-inclusive basis up to an agreed number of man-days, and other activities are always chargeable.

Assistance with Security and Data Breach Obligations

The GDPR imposes data security and data breach notification obligations on both data controllers and data processors. In addition, Article 28(3)(f) requires supplier data processors to “[assist] the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor.”

Articles 32 to 36 deal with security, breach notification, and the customer-controller’s obligation to carry out data protection impact assessments in certain cases. Again, suppliers are generally seeking to charge for this assistance. However, security and service design issues are often of fundamental importance in a long-term outsourcing relationship. Important questions for both customers and suppliers include the following:

  • Balance of information: Does the supplier possess information or know-how relating to issues such as security and service design that is not known to the customer? Supplier-processors are under a direct obligation to maintain records of the processing activities they undertake. Thus, providing this sort of basic information should not require the supplier to expend significant additional effort.
  • Existing supplier obligations: Are these requirements simply a restatement of general obligations and principles set out elsewhere in the agreement? For example, is the supplier already under more general information and assistance obligations in relation to the services? If so, is it reasonable for the supplier to treat these obligations differently just because they are mandated under the GDPR?
  • Issue mitigation: Is it actually in the supplier’s interest to take an active role without putting up barriers in the form of additional charges? For example, in the event of a security audit or breach, the ability to assist the customer in its compliance activities could turn out to be a key factor in mitigating fallout (both financial and publicity-wise) for the supplier.
  • Change impact assessment: Should assistance with, or even the supplier’s conduct of, data protection impact assessments be factored into the agreement’s project and change control procedures? Privacy impact assessments increasingly form part of good practice when it comes to service and change design. If the supplier is not generally entitled to price for change and project assessment work, why should data protection aspects be treated any differently?
  • Supplier acts: Finally, should the supplier be prevented from charging in certain situations? A compelling example is where a security breach results from the supplier’s action or inaction.

Regulatory Directions

Finally, beyond the scope of Article 28, and unlike the previous EU data protection regime, supplier-processors are subject to direct regulation under the GDPR.

In practice this means that both the customer and the supplier may be answerable directly to the same regulator in relation to processing of the customer’s personal data. For example, under Article 58, the GDPR grants supervisory authorities broad powers to direct processors to make changes to processing operations to bring them into compliance with the GDPR, even where the issue arises from the customer’s conduct or instructions.

This presents suppliers with two problems:

  • Outsourcing agreements often place strict obligations on suppliers in relation to direct dealings with regulators when it comes to the customer’s business.
  • Those same obligations often oblige suppliers to perform the services in accordance with applicable laws and often require suppliers to pick up the cost of service changes resulting from changes in law.

The first issue can be addressed by making clear in the agreement that the supplier is not prevented from dealing directly with its own regulator and from freely complying with directions of the relevant regulators.

The second issue is less straightforward. Suppliers should consider whether existing contractual relief mechanisms will apply where, for example, they are directed by regulators to suspend or cease processing altogether.

If a regulator directs the supplier to make changes to its processing activities, who will pick up those costs? Are they recoverable by the supplier or will they be caught by general obligations to comply with applicable laws?


These are just some of the commercial issues and debates that can arise from implementing the GDPR’s mandated data processing clauses and from the direct obligations that are imposed on supplier-processors under the GDPR.

Given the fundamental importance of data and security to many outsourcing arrangements, particularly BPOs, there is no quick fix for these issues. However, we expect that as with the prior EU data protection regime, custom and practice will develop over the course of the next 12 to 18 months, particularly as the EU regulatory bodies begin to issue more detailed guidance and take enforcement actions under the GDPR.