The UK Information Commissioner’s Office (ICO) has issued several new guidance documents on Data Controllers, Data Processors and the interaction among them.
Key points of the Contracts guidance include:
- Whenever a controller uses a processor, there must be a written contract (or other legal act) in place.
- If a processor uses another organization (ie. a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.
- The contract is important so that both parties understand their responsibilities and liabilities.
- The GDPR sets out what needs to be included in the contract. This is reflected in Art. 28 of GDPR Controllers and Processors under GDPR
Key points of the Controller/Processor guidance include:
- Your obligations under the GDPR vary depending on whether you are a controller, joint controller or processor.
- The key question is: who determines the purposes for which the data are processed and the means of processing?
- If specialist service providers (e.g. accountants) are processing data in line with their own professional obligations, they will be acting as the controller.
- Joint controllers decide the purposes and means of processing together.
- Processors act on behalf of the relevant controller and under their authority. They serve the controller’s interests.
- If you are a processor, as soon as you process personal data outside your controller’s instructions, you will be acting as a controller for that element of your processing.
- Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities for complying with the GDPR. The main points of this arrangement should be reflected in the privacy notice.