Data Processing contracts - why are they needed?Thursday, 18 January 2018
The EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) will come into force in Ireland on 25 May 2018, and will replace the existing data protection legal regime. Under the GDPR it will be a mandatory requirement to have data processing contracts in place between data controllers and data processors in respect of any personal data processing activities. It is a boardroom issue for organisations involved in data processing to ensure that appropriate data processing contracts in place that not only comply with the GDPR but also adequately protect the organisation’s interests from a liability perspective.
Are you a controller or a processor?
The GDPR applies to, and imposes responsibility on, two types of entities processing personal data, namely: controllers and processors.
A controller is a natural or legal person, public authority, agency or other body which alone or jointly with others, collects and determines the purposes and means of the processing of personal data.
A processor then is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (e.g. outsourced service providers).
Practically all businesses/employers are data controllers if they control the use of any data that can identify individuals (e.g. customer, client, patient, employee details etc.). Data processors process data on the instructions of data controllers. Examples of data processors are outsourced third party service providers dealing with matters such as payroll, archiving, printing, marketing, assessing medical reports etc. on behalf of the data controller.
Current data protection legislation in Ireland does not impose direct obligations on processors; generally, processors currently only have to comply with the terms of the data processing contract (if any) that they have agreed with the controller. Despite the existence of such contracts, controllers presently remain legally responsible for any breaches of data protection law caused by the actions of their processors.
In contrast, the GDPR places direct obligations and potential liability on processors as well as controllers. The GDPR also specifies mandatory contractual terms that controllers and processors must include in their data processing contracts.
Under the GDPR, the potential implications of non-compliance will be significant. Administrative fines of up to €20,000,000 or 4% of the non-compliant organisation’s annual worldwide turnover in the preceding financial year (whichever is the greater) may be imposed by the Data Protection Commissioner. Affected data subjects will also have the right to directly sue controllers and processors for damages in the event of any breach of their rights. Investigations, fines, litigation etc. will all also have a material impact on an organisation’s reputation.
Controllers will be liable for damage caused by data processing which infringes the GDPR. Processors on the other hand will be liable where they have not complied with obligations specifically directed at them under the GDPR, or have acted outside or contrary to lawful instructions from the controller.
Controllers and processors may only escape liability where they prove they are not in any way responsible for the event giving rise to the damage. This is combined with the concept of ‘joint and several’ liability under the GDPR, which holds each controller and processor involved in the same processing liable for the damage caused. This joint and several liability means that data subjects may choose who to pursue, and are likely to opt for the controller or processor with the deepest pockets. It will then be for the controller and processor to claim back from the other controller or processor, that part of the compensation corresponding to their responsibility for the damage.
Allocation of risk
The new liability provisions under the GDPR emphasise the importance of a controller and processor managing their potential liability and risk between themselves in the data processing contract between them both (for example, by way of appropriate warranties, indemnities, liability caps, limits on liability, insurance etc.). Depending on the risk profile and bargaining power between the parties, such liability provisions can often be heavily negotiated elements of data processing contracts.
Mechanisms should also be agreed in the data processing contracts for resolving disputes regarding respective liabilities to settle compensation claims, as there will inevitably be litigation on the issue of causation in the context of a data breach, in light of the new provision allowing for joint liability.
Mandatory provisions in data processing contracts
In addition to the important allocation of risk provisions, the data processing contract must also set out the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data to be processed; the categories of data subjects; and the obligations and rights of the controller. The following mandatory terms also need to be imposed on the processor in the data processing contract:
- to process data only on the documented instructions from the controller;
- to ensure that the processor's staff are committed to confidentiality;
- to take all appropriate security and organisational measures in respect of the processing activities;
- to sub-contract only with the prior permission of the controller (and if sub-contracting is permitted, the sub-processor should be subject to the same obligations as the processor, and the processor shall remain liable to the controller in respect of the sub-contracted processing);
- to assist the controller in complying with the rights of the data subject;
- to assist the controller in complying with its data breach notification obligations;
- to delete or return all personal data to the controller, if requested, at the end of the processing; and
- to make available to the controller all information necessary to demonstrate compliance with its processing obligations and allow audits to be conducted by the controller.
The substantial reinforcement of data protection rules under the GDPR emphasises the need for organisations to ensure that comprehensive data processing contracts are put in place. Data processing contracts can be stand-alone contracts, or the necessary provisions can be built into a larger services contracts between the controller and the processor.
Organisations should firstly review their data processing activities and establish whether they are acting as a controller or processor in respect of any particular processing. Secondly, they should review the current contractual framework in place with regard to such processing and update this to ensure compliance with the GDPR, but also to ensure that there is appropriate allocation of risk between the controller and processor in such contracts.