How GDPR will change your commercial contracts
Both data controllers and data processors are subject to the GDPR and data processing arrangements will come under more scrutiny.
Where a data controller contracts with a third party to carry out data processing, a due diligence exercise needs to be carried out to ascertain that the correct data security measures are in place and to ensure overall GDPR compliance in areas such as breach notification, accessibility and retention of data.
Article 28 of the GDPR requires that agreements with data processors are governed by a binding contract which in summary should set out the following information:
> The subject matter and duration of processing
> The nature and purpose of processing
> The type of personal data and categories of data subjects
> The obligations and rights of the controllers and the processor
> The risk to the rights and freedoms of the data subject
The specific requirements as regards the processor are as follows:
(a) Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
(b) Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Takes all measures to implement the appropriate technical and organisational measures required to ensure a level of security appropriate to the risk.
(d) Shall not engage another processor without prior specific or general written authorisation of the controller. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract shall apply.
(e) Taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.
(f) Assists the controller in ensuring compliance with the obligations pursuant to the articles concerning:
> Security of processing
> Notification of a personal data breach to the supervisory authority
> Communication of a personal data breach to the data subject
> Data protection impact assessment
> Prior consultation
taking into account the nature of processing and the information available to the processor.
(g) At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless EU or Member State law requires storage of the personal data.
(h) Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Organisations will therefore need to carry out an audit of existing contracts and determine whether they are GDPR compliant and if not how to effect compliance. This may be more effective by way of a side letter or a standalone data processing agreement as warranties and indemnities for breach become part of the contractual negotiation.