Why are contracts between controllers and processors important?
The GDPR imposes a legal obligation on controllers and processors to formalise their working relationship. Aside from the legal requirements, this makes practical and commercial sense.
By having a contract in place with the required terms, controllers and processors are:
ensuring they each comply with the GDPR;
protecting the personal data of customers, staff and others; and
ensuring both parties are clear about their role regarding the personal data that is being processed and are able to demonstrate this.
When does the GDPR say a contract is needed?
The GDPR says that a contract is needing in two circumstances.
Firstly, Article 28(3) states that:
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller…
This means every time a controller uses a processor to process personal data, there must be a written contract that binds the processor to the controller in respect of its processing activities.
Article 28(3) could be complied with not only by a direct contract between the controller and the processor, but also by other legally binding contractual arrangements (for example, a set of contracts between multiple parties) provided the processor is ultimately bound, as a matter of contract law, to each controller in respect of the particular processing.
Secondly, Article 28(4) states that:
Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of contract or other legal act…
This means that every time a processor uses another processor (a sub-processor), there must be a written contract between the processor and the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those that exist in the contract between the controller and the processor.
What about other legal acts?
The GDPR refers to a contract ‘or other legal act’. But, in practice, in the UK, contracts are likely to be the appropriate means of complying with Article 28(3).
What is the difference between a controller and a processor?
The GDPR defines a controller and processor as:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
It is common practice for a controller to engage a processor to process personal data on its behalf – for example, to take advantage of the processor’s expertise and experience in a particular type of processing operation
A specialist company provides software and data analysis to process the daily pupil attendance records of a state-maintained school for an annual fee. For the software provision the company is not a processor, but for the data analysis it is a processor for the school.
The readers of a monthly science magazine receive a hard copy delivered to their home. Their subscriptions and the mailings are handled by a separate company at the publisher’s request. The company is a processor for the magazine publisher.
A marketing company sends promotional vouchers to a hairdresser’s customers on the hairdresser’s behalf. The marketing company is a processor for the hairdresser.
An organisation uses a cloud service to store and analyse its data. The organisation remains the controller and the cloud service provider is its processor.
What are sub-processors and when are they used?
A processor might wish to use the services of another processor to assist with the processing it is carrying out on the controller’s behalf. For shorthand, this is sometimes referred to as using a ‘sub-processor’, although this is not a term taken from the GDPR itself. Before employing a sub-processor, the original processor must inform the controller and obtain its prior specific or general written authorisation.
If authorisation is given, the processor must put in place a contract with the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those that exist in the contract between the controller and the processor.
The controller and processor must be party to the contract. In any sub- processing arrangements, the relevant parties to the contract will be the processor and sub-processor.
For organisations with no separate legal personality (eg unincorporated partnerships or unincorporated associations), you should review the document which sets up and governs the management of that organisation. This document should set out which individual(s) manage the organisation on behalf of its members and are likely to act as the controller or joint controllers, and how contracts may be entered into on behalf of the organisation.