On 13 September 2017, the UK Information Commissioner’s Office (ICO) published draft guidance on contracts and liabilities between controllers and processors under the GDPR.

The draft guidance does not add substantial detail to the provisions of the GDPR but is a useful reminder of the key points. For example, it highlights the requirement for a written contract between the controller and any of its processors and summarises the provisions that the GDPR states must be included in the contract, specifically:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subjects
  • The obligations and rights of the controller
  • The obligations of the processor to:
    • Only act on the written instructions of the controller
    • Ensure that people processing the data are subject to a duty of confidence
    • Take appropriate measures to ensure the security of processing
    • Only engage sub-processors with the prior consent of the controller and under a written contract
    • Assist the controller in responding to data subject requests to exercise their rights under the GDPR
    • Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
    • Delete or return all personal data to the controller as requested at the end of the contract
    • Submit to audits and inspections and provide the controller with any information to demonstrate compliance with its processor obligations under the GDPR. Processors are under an obligation to inform the controller if the instructions to the processor are in infringement of the GDPR or other data protection law.

It is unlikely that current controller-processor contracts will cover all of these points, so existing contracts will need to be reviewed and updated to address these requirements.

One of the biggest changes that the GDPR brings is that processors have direct responsibilities and obligations under the GDPR beyond the terms of their contracts with controllers. In particular, processors may be liable for fines and to pay compensation for non-compliance with specific processor obligations under the GDPR or where they act outside or contrary to the lawful instructions of the controller.   However, the draft guidance also reminds controllers that they retain ultimate responsibility for ensuring that data is processed in a compliant manner even if they appoint a processor to process data on their behalf and that they will only be exempt from liability under the GDPR if they prove that they were ‘not in any way responsible for the event giving rise to the damage’ resulting from non-compliant processing.

Consultation on the draft guidance closes on 10 October 2017, so businesses that wish to push the ICO to provide greater clarity should submit comments to the ICO in the next couple of weeks.