Often, businesses do not carry out all of their personal data processing activities “in- house”. Instead, they may appoint third parties to provide certain processing activities on their behalf (and subject to their instructions). Such third parties are known as “data processors” under data protection law.
Examples of organisations which provide services to other businesses as data processors are companies providing cloud storage, IT services, HR functions, marketing services and payroll services.
It is already the case under the existing EU data protection regime, that contracts with data processors must meet certain legal requirements. However, under the GDPR, additional obligations will apply when you appoint a data processor.
Under the GDPR, the following requirements will apply:
- Before appointing a data processor, you will need to carry out appropriate due diligence and satisfy yourself that the data processor will be able to meet the requirements of the GDPR.
- You will need to enter into a written contract with the data processor.
- Your contract with the data processor will need to contain various contract terms, which are specified in the GDPR.
The above requirements will apply with immediate effect from 25th May 2018 to both new processing contracts and your existing contracts with data processors. You will therefore need to:
- Review and amend any existing contracts with data processors, that will still be in force (and still have some time left to run) when the GDPR becomes effective in May next year, to ensure that the new GDPR requirements are incorporated.
- Ensure that any future agreements with data processors meet the new requirements. This should apply to any contracts that you enter into with data processors from now on (even if you suspend the application of the GDPR compliant provisions until 23rd May next year).
It is also important to note that, under the GDPR, data processors (as well as data controllers) will be subject to certain statutory obligations. This is a significant change, as it means that enforcement action can be taken by regulatory bodies (such as the ICO) against data processors, that data processors can be fined for breach of the GDPR and that they can be sued for compensation by the individuals whose data they process. At present, the obligations and responsibilities of data processors are limited to those imposed on them under their contractual arrangements.
The change means that data processors may want to negotiate (or re-negotiate) their contracts with you so that they can “pass back” liability to you if they are fined or incur damages as a result of undertaking processing on your behalf. As you can imagine, this is an area where negotiations may well become quite heated.
We’ll be back in touch on 23rd November with the next action point. If you have any questions or queries in the meantime, please get in touch with one of our Information Law team members.
If you would like any further information about the GDPR and how it might affect your organisation, please download our Geldards Guide or if you would like to discuss how Geldards can help with training on the GDPR, please do not hesitate to contact our Information Law Team.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>