Article 28(3) of the General Data Protection Regulation 2016/679 ("GDPR") provides that data processors must enter into contractual clauses with data controllers which govern how personal data (provided by the data controller) will be processed by the data processor. The contract(s) between the data processor and the data controller must include certain clauses such as the following:
Personal data will only be processed by the data processor in accordance with documented instructions from the data controller.
Staff working for the data processor have agreed to confidentiality obligations (such as in their employment contract or a separate confidentiality agreement) in respect of the personal data that they will be processing.
The data processor will delete or return all personal data to the data controller at the end of the services relating to the processing (unless it is required to store this personal data due to other legal and compliance requirements such as those concerning financial record keeping).
The data processor will assist the data controller in ensuring compliance with other obligations (such as assisting with data subjects when they are exercising their rights) under the GDPR.
Over the last year, we have often heard organisations say: "The majority of our data processors are large organisations, so surely their standard terms and conditions have been updated to comply with Article 28(3) of the GDPR. There is most likely nothing for us, as a data controller, to do in order to be compliant with this requirement, especially as this requirement places the burden on data processors to ensure that contractual arrangements are in place". The assumption in this statement is wrong for four key reasons.
Reason 1: Not all data processors take the same approach.
Whilst certain data processors unilaterally have the right to amend their standard terms and conditions and to subsequently update them by incorporating the requirements under Article 28(3), not all data processors have taken the same approach. For example, some data processors have created separate data processing agreements which require their clients, as data controllers, to take active steps in order for these data processing agreements to become effective. Asana, Atlassian, Citrix, Hootsuite, Monday.com, Receipt Bank, Slack, Xero and Zoho all require data controllers to take active steps and review their data processing agreements and if happy with them, to subsequently sign and return them.
Reason 2: It is in the data controller's interest to actively engage with its data processors on the requirements under Article 28(3) of the GDPR.
Whilst Article 28(3) appears to place the responsibility on data processors to enter into certain contractual clauses with their data controllers, these clauses are for the benefit of the data controller and therefore the data controller should be actively engaging with its data processors to ensure that these are put in place. For example, there may be instances where a data controller receives a data subject access request (under Article 15 of the GDPR) and it will need to engage with its data processors in order to obtain all of the data that it holds and has processed on a certain data subject. Data subject access requests are required to be completed within one calendar month and it is in a data controller's interest to have a contractual clause with its data processors which requires its data processors to assist it in this type of a situation.
Reason 3: All organisations (i.e. data controllers and data processors, unless the Paragraph 5 exemption applies) are required to maintain a record of all of their processing under Article 30 of the GDPR.
Data controllers (unless they have smaller organisations exemption status) are required to maintain a record of their processing and most data controllers do this within an internal data register in order to comply with Article 30 of the GDPR. As part of this exercise data controllers are required to enter information about their data processors within this data register. In addition, we advise our clients to store all of their contractual documentation with these data processors in one place; this ties into also ensuring that there are contractual arrangements that comply with Article 28(3) of the GDPR.
Reason 4: All organisations (i.e. data controllers and data processors) are required to in place appropriate technical and organisational measures to ensure a level of security under Article 32 of the GDPR.
As data controllers are required to put in place appropriate technical and organisational measures to ensure a level of security, one of the ways in which they can achieve this is through having contractual clauses with their data processors on the personal data that is to be processed. This is because these contractual clauses will outline certain requirements to ensure that security is in place, i.e. ensuring that staff working for the data processor agree to confidentiality obligations and therefore protect the integrity of the personal data that is being processed.
Ensuring that you have a robust and fully functional GDPR program
We advise our clients not to look at Article 28(3) in silo or to fall into the trap that the responsibility is for the data processor to ensure that it has contractual clauses with its data controllers that comply with Article 28(3). At Aria Grace Law, several of our lawyers are experienced data privacy experts and can assist your organisation in achieving any of the following:
Creating and populating an internal data register.
Reviewing all of your contractual agreements with third party suppliers (including advising you on any liability and indemnity provisions with your third-party suppliers and their sub-processors).
Supporting you to put in place various appropriate technical and organisational measures (such as governance frameworks, policies and procedures etc.).
If you would like to find out more and/or instruct us, please contact us on firstname.lastname@example.org.
Privacy Update by Puja Modha, Partner at Aria Grace Law 11.11.2019