The UK Information Commissioner’s Office (ICO) has issued several new guidance documents on Data Controllers, Data Processors and the interaction among them.

Key points of the Contracts guidance include:

  • Whenever a controller uses a processor, there must be a written contract (or other legal act) in place.
  • If a processor uses another organization (ie. a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.
  • The contract is important so that both parties understand their responsibilities and liabilities.
  • The GDPR sets out what needs to be included in the contract. This is reflected in Art. 28 of GDPR Controllers and Processors under GDPR

Key points of the Controller/Processor guidance include:

  • Your obligations under the GDPR vary depending on whether you are a controller, joint controller or processor.
  • The key question is: who determines the purposes for which the data are processed and the means of processing?
  • If specialist service providers (e.g. accountants) are processing data in line with their own professional obligations, they will be acting as the controller.
  • Joint controllers decide the purposes and means of processing together.
  • Processors act on behalf of the relevant controller and under their authority. They serve the controller’s interests.
  • If you are a processor, as soon as you process personal data outside your controller’s instructions, you will be acting as a controller for that element of your processing.
  • Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities for complying with the GDPR. The main points of this arrangement should be reflected in the privacy notice.