In the processing of personal data, the data processor has an important position as he processes data on behalf of the controller. This could happen, for example, when we contract an enterprise that will manage a merchant services in our e-commerce website; when we have an administrator to manage our enterprise; or when we hire an enterprise to make the payslips of our employees.
So, as you can see, it is widely common for enterprises to have data processors in they daily activity. For this reason, it is very important to manage this relationship taking into account the data protection regulations. The consequences for not complying with the regulations could derive to the existence of an illegal transfer of data and the commission of an infraction that, with the new regulation -GDPR- would mean an administrative fine of up to 10 million euros (art. 83 (4)).
Having in mind the huge administrative fine that could derive from the infraction of the GDPR, I will resume in this post the basic elements that the written contract between the data processor and the data controller should have when the GDPR comes into effect -25th may 2018-.
The article 28 (3) GDPR is the article where this contract is regulated.
1. THE CHARACTERISTICS OF THE DATA PROCESSING SHOULD BE EXPLAINED.
In the contract, the parties should expressly indicate:
- the subject-matter of the processing;
- the duration of the processing;
- the nature of the processing;
- the purpose of the processing;
- the type of personal data processed (if there are special categories of personal data);
- the categories of data subjects;
- the obligations of the data processor;
- and the rights of the data controller.
All this information should be explained in a concrete and clear way and in relation with all the data processings that the data processor will realise.
2. IT SHOULD EXPRESSLY INDICATE THAT THE PROCESSING WILL BE DONE IN ACCORDANCE TO THE DOCUMENTED INSTRUCTIONS FROM THE CONTROLLER.
In addition, the contract should stipulate that the processor will only process the data following the documented instructions from the controller.
3. IT SHOULD EXPRESS THE COMMITMENT WITH THE CONFIDENTIALITY OF THE DATA.
In the contract, the parties should expressly indicate that the processor ensures to the controller that only authorised persons will access to the data (for example, the employees of the data processor should access to the data to realise the processing contracted); and that this employees have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (this is the case, for example, of the lawyers).
All this means that the parties should arrange the way the confidentiality will be granted, and all this arrangement should be documented in the contract.
4. THE SECURITY MEASURES SHOULD BE STIPULATED.
In the contract it should be indicated that the processor will take all the measures needed to guarantee an adequate level of security of the data.
It is important to have in mind that, even this is required to the processor, the subject obligated to realise the Data Protection Impact Assessment (article 35 GDPR) is the controller. However, this does not mean that the processor does not have to do an evaluation of the existing risks in the data processing.
Usually, the security measures that a data controller considers the data processor have to apply are stipulated in the contract. Nevertheless, this is not the only way to establish the security measures as the data controller can indicate an standard or certification that the data controller should comply.
5. IT SHOULD REGULATE THE POSSIBLE EXISTENCE OF A SUBPROCESSOR.
The processor must have the authorisation of the controller to engage another processor for carrying out specific processing activities on behalf of the controller.
In the contract, the parties could indicate that the controller authorises the processor to subcontract a part of the processing. This authorisation can be generic or specific -where the concrete subprocessor is identified-.
It should be beard in mind that the processor must inform the controller about the designation of the subprocessor or the substitution of the current subprocessor as the controller has the right to disagree with the election and prohibit the subprocessing of the data.
In addition, it should be beard in mind that if the subprocessor does not apply the appropriate security measures, the processor will be responsible in front of the data controller.
6. COOPERATION IN THE COMPLIANCE OF THE OBLIGATION TO RESPOND THE EXERCISE OF RIGHTS BY DATA SUBJECTS.
The contract should explain the organisational measures between the parties in relation to the fulfilment of the obligation to respond to requests for exercising the data subject’s rights.
There are two main ways of establishing this depending if the processor assumes -or not- the obligation to respond the requests:
- In case the processor assumes the obligation, the parties should establish, in a clear and concrete way, the maximum time to attend the requests and the procedure to do it;
- In case the processor does not assume the obligation, the parties should indicate the maximum time to communicate to the controller any request send to the processor and the procedure to do so.
7. COLLABORATION BETWEEN THE CONTROLLER AND THE PROCESSOR TO ACCOMPLISH THE CONTROLLER’S OBLIGATIONS.
The processor is obligated to assist the controller to ensure the compliance of his obligations (security measures, notification of data breach, communication of data breach, PIAs and prior consultation).
For this reason, in the contract the parties should explain the way the processor will cooperate with the controller.
8. THE DELETION OR RETURNING OF PERSONAL DATA AFTER THE END OF THE SERVICE.
The contract should state that, at the end of the service provided by the processor, the controller has the choice to choose whether the processor has to return the data to the controller or delete the data. In addition, it should be stated that the processor has the obligation to delete the existing copies of the data that he can be saving as a backup.
So, the parties should indicate the proceeding and period to comply with this returning/deleting process.