Towards the end of 2018 we ran a series of Contract Corner blog posts on the GDPR and Data Processing Addendums. (See here and here.) December brought detailed guidance from the UK Information Commission’s Office (ICO) on contracts and GDPR compliance (the New Guidance), which replaces draft guidance previously issued as part of a consultation by the ICO in 2017 (the Draft Guidance).
In this post we focus on the following sections of the New Guidance: “When is a contract needed and why is it important?” and “What needs to be included in the contract?”, considering this against the previous draft guidance.
When a Contract Is Needed
Article 28 of the GDPR requires that processing of personal data by a third-party data processor is governed by “a contract or other legal act”. The New Guidance does not comment on what is meant by an “other legal act”, instead simply commenting that in the UK, contracts will most likely be the most appropriate way to comply with this requirement.
Interestingly, the guidance states that this requirement could be satisfied even without a direct contract between the controller and processor, provided that the processor is ultimately bound, as a matter of law, to each controller in respect of the particular processing. An example given is a set of contracts between multiple parties. This allows for some flexibility in the contractual arrangement. However, parties should be cautious if they are looking to satisfy this requirement other than through a direct contract between the processor and controller to ensure that the arrangement is sufficient to satisfy this requirement.
Obligations to Include in the Contract
The ICO has also provided updated guidance on the approach to be taken to the list of obligations set out at Article 28(3), which must be stipulated in a contract between a controller and processor.
For a discussion on some of the commercial issues associated with negotiating these provisions, see our previous blog post on this subject.
Details of Processing
Whereas the Draft Guidance was ambiguous as to which party is responsible for setting out the details of the processing (for example, the subject matter, duration, and purpose of the processing), the New Guidance states that “the controller needs to be very clear from the outset about the extent of the processing it is contracting out”, implying that this is primarily a controller obligation.
Processing on Documented Instructions (Article 28(3)(a))
A number of data processing addendums that we have seen state that the documented instructions of the controller are set out in the agreement. This approach has been validated by the ICO and it also comments that the instructions may be provided separately.
The guidance is not prescriptive as to the form of the written instructions, except that the instruction must be capable of being saved for recordkeeping purposes.
Appointing Sub-processors (Article 28(3)(d))
There had been discussion around reference in Article 28(4) to the contract with the sub-processor setting out “the same data protection obligations as set out in the contract or other legal act between the controller and processor as referred to at paragraph 3” (emphasis added). The ICO has clarified that the wording of these obligations does not need to mirror that set out in the controller/processor contract, but instead the obligations should offer an equivalent level of protection for the personal data. This is a logical interpretation and one which reflects the approach that we have often seen taken in data processing addendums.
Data Subject Rights (Article 28(3)(e))
The ICO has updated its guidance to more closely align to the wording of the GDPR, once again referencing the wording in the GDPR which requires the processor to take “appropriate technical and organisational measures”. Unfortunately, the New Guidance does not shed any additional light on what this means for data processors in practice and the scope of the assistance to be provided. As a result, we are likely to continue to see much time spent in negotiations around the breadth and commercial impact of this obligation.
Assistance Obligations (Article 28(3)(f)) This paragraph requires the processor to provide assistance to the controller to help the controller comply with certain GDPR requirements. The Draft Guidance included a helpful statement that the “processor’s duty to assist you to comply is not infinite” and is limited by the wording in the regulation which requires the “nature of processing and the information available to the processor to be taken into account”. Unfortunately, this statement has been removed from the New Guidance. Furthermore, the ICO has recommended that the contract is “as clear as possible” about the assistance that the processor will provide to help the controller meet its obligations. Unhelpfully, however, it does not provide any examples of what this means in practice. This also raises the question: to what extent can the processor limit the assistance which it will provide to the controller by specifying how it will assist the controller? Conversely, controllers will now be wary of agreeing clauses which overly limit the more general obligations set out in the GDPR. Deletion and Return of Data (Article 28(3)(g)) The New Guidance on the processor’s obligations in relation to deletion and return of data is helpful and sets out the following additions: The second of these additions picks up a technical and practical issue which frequently arises when discussing confidentiality agreements and one which we have also seen come up when negotiating data processing addendums. A strict interpretation of the GDPR does not provide any leeway to resolve this issue. The ICO has, however, stated that it is acceptable for the data not to be deleted immediately, provided that Demonstrating Compliance and Audits and Inspections (Article 28(3)(h)) The GDPR requires the processor to make available to the controller all information necessary to demonstrate compliance with the obligations in Article 28 (not just Article 28(3)) and to allow for and contribute to audits, including inspections. The new ICO guidance places emphasis on the obligation to demonstrate compliance with the article, rather than the means by which this is done. It states that the processor could demonstrate compliance by providing necessary information to the controller, or by submitting to an audit or inspection. The contract should, however, be clear as to how the processor will be required to demonstrate this compliance. This seems to allow for a degree of deviation from the wording of Article 28(3)(h) and we anticipate that this will prompt discussions between controllers and processors as to the most appropriate way for the processor to demonstrate its compliance with the article as part of contract negotiations. The Problematic “Hanging Paragraph” Immediately below Article 28(3) is an obligation on the processor to immediately notify the controller if it believes that an instruction infringes data protection law. In the Draft Guidance, this is listed as an obligation to be included within controller/processor contracts as part of Article 28(3)(h). Significantly, the New Guidance makes no reference to this processor obligation. We can therefore take from the new guidance that the obligation does not need to be stated explicitly within the controller/processor contracts, though the processor will of course nevertheless be required to comply with this obligation pursuant to the regulation. What Does This Updated Guidance Tell Us? The ICO is approaching the Article 28 requirements with a degree of flexibility, focusing on the purpose of the requirements and promoting a practical approach. Although the updated guidance is helpful in many areas, the ICO has perhaps missed an opportunity to provide further guidance or clarification on some points that remain subject to close debate by parties negotiating data processing agreements. We anticipate that as custom and practice develops in this area, the ICO will provide further updates and clarifications to its contract guidance.