How GDPR will change your commercial contracts

News /

Both data controllers and data processors are subject to the GDPR and data processing arrangements will come under more scrutiny. 

Where a data controller contracts with a third party to carry out data processing, a due diligence exercise needs to be carried out to ascertain that the correct data security measures are in place and to ensure overall GDPR compliance in areas such as breach notification, accessibility and retention of data.

Article 28 of the GDPR requires that agreements with data processors are governed by a binding contract which in summary should set out the following information:
>  The subject matter and duration of processing
>  The nature and purpose of processing
>  The type of personal data and categories of data subjects
>  The obligations and rights of the controllers and the processor
>  The risk to the rights and freedoms of the data subject
The specific requirements as regards the processor are as follows:
(a)  Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

(b)  Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c)  Takes all measures to implement the appropriate technical and organisational measures required to ensure a level of security appropriate to the risk.

(d)  Shall not engage another processor without prior specific or general written authorisation of the controller. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract shall apply.

(e)  Taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.

(f)  Assists the controller in ensuring compliance with the obligations pursuant to the articles concerning:

  >  Security of processing
  >  Notification of a personal data breach to the supervisory authority
  >  Communication of a personal data breach to the data subject
  >  Data protection impact assessment
  >  Prior consultation
taking into account the nature of processing and the information available to the processor.

(g)  At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless EU or Member State law requires storage of the personal data.

(h)  Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Organisations will therefore need to carry out an audit of existing contracts and determine whether they are GDPR compliant and if not how to effect compliance. This may be more effective by way of a side letter or a standalone data processing agreement as warranties and indemnities for breach become part of the contractual negotiation.

Related services:

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500