Under the Data Protection Act 1998 (“the 1998 Act”), a controller that employed a third party to process personal data on its behalf (a “processor”) could demonstrate its compliance with the security principle by having a contract in place with the processor.
Typically, this contract would have required the processor to only act upon the controller’s instructions and to take appropriate measures to keep the personal data secure.
Under the GDPR, there is a separate obligation to have a contract. Also, contract requirements are more wide-ranging and are no longer confined to just ensuring the security of personal data. They aim to ensure that the processing of personal data, by a processor, will comply with all the GDPR’s requirements and protect the rights of data subjects. The GDPR sets out specific terms that must be included in the contract, as a minimum.
The contract must state details of the processing, and must set out the obligations and rights of both the controller and the processor. It must also include the standards the processor has to meet when processing personal data.
This is a significant change to what the 1998 Act required. However, in practice, existing contracts may have already included some of the new requirements for commercial reasons or as good practice under the 1998 Act.
The GDPR also allows the contract to include standard contractual clauses issued by the European Commission or a supervisory authority, such as the ICO. Again this is a significant change in the law but, initially at least, it should make little practical difference as standard clauses are not yet available.
In the future, processors may be able to demonstrate they provide ‘sufficient guarantees’ to process personal data in line with the GDPR by adhering to an approved code of conduct or certification scheme. No such codes or schemes have been approved so far so, initially at least, this should make little practical difference.
The main difference is that processors now have direct GDPR responsibilities and obligations, outside the terms of the contract. Processors can be held directly responsible for non-compliance with their GDPR obligations. They may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.