When a controller uses a third party to process personal data on its behalf – known as a processor – certain provisions must be included in a written contract in order to comply with the Data Protection Act 2018 (UK GDPR).
If you, as a controller, use a processor to process personal data on your behalf (which could include cloud service providers, web hosting providers, third party HR solutions or off-site storage), under the UK GDPR your contract with that processor must include the following detail:
- the subject matter and duration of the processing, the nature and purposes of the processing and the type of personal data and categories of data subjects
- obligations on the processor (under Articles 28 and 29 of the UK GDPR) to:
- process personal data only on your written instructions (including with regard to transferring personal data outside the UK) unless the processor required to process personal data by UK law
- immediately tell you if it believes an instruction from you breaches the UK GDPR or any other UK data protection laws
- ensure that anyone (including their employees, contractors etc) who is authorised to process personal data agrees to keep that personal data confidential or is under an appropriate statutory obligation of confidentiality
- take all measures required under the UK GDPR to ensure that they comply with the requirements around keeping personal data secure (including as set out in Article 32)
- not engage another processor without:
- prior specific or general written authorisation from you (in the case of general written authorisation, the processor must tell you of any intended changes concerning the addition or replacement of other processors and give you the opportunity to object to such changes)
- flowing down the same data protection obligations on that sub-processor
- be responsible and liable to you if a sub-processor fails to perform its data protection obligations
- assist you by appropriate technical and organisational measures (insofar as this is possible) to respond to data subjects exercising the rights that they have under the UK GDPR (taking into account the processing that they do for you)
- assist you in complying with your obligations around security, notification of security breaches, and data protection impact assessments (taking into account the nature of processing and the information available to the processor)
- delete or return (at your choice) to you all personal data after the end of the provision of services, and delete existing copies unless UK law requires further storage of that personal data by the data processor
- make available to you all information necessary to demonstrate their compliance with their obligations under the UK GDPR and allow (and contribute to) audits conducted by you or another auditor mandated by you
- further (non-Article 28/29) obligations on the processor to:
- comply with your instructions in relation to transferring personal data to countries outside of the UK (Articles 44 to 49)
- keep records of its processing activities if the thresholds in Article 30 are triggered
- notify you of any personal data breaches (Article 33(2))
- employ a data protection officer if the thresholds in Article 37 are triggered
- appoint a representative within the UK in certain instances (Article 27).
If you, as a controller, fail to comply with the requirements above and don’t include such terms in contracts with processors, the ICO could fine you the greater of £8.7m (€10m) or 2% of your total annual turnover in the preceding 12 months.
So you’ve negotiated all the required UK GDPR terms. What do the liability terms say about the processors financial liability if they breach any of those UK GDPR terms? Chances are liability will be lumped in with the general liability provisions where the processors liability is limited to the value of the contract.
If a processor fails to meet its obligations, or acts outside or against your instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures. Furthermore, processors remain liable to you for the compliance of any sub-processors they engage.
As a controller, you will undoubtedly want a full indemnity from your processor for any regulatory fines and unlimited liability for losses caused by a breach. A savvy processor will resist this and will not want to be exposed to a disproportionate amount of liability as compared to the contract value, the potential lack of insurance cover, its actual degree of culpability for any breach and its own financial resources.
Negotiating an appropriate liability provision could therefore become quite contentious. It is therefore important to ensure that the liability provisions are reviewed and negotiated; as a minimum, any data protection liabilities should have a separate financial cap and not be included within a general damages cap.
What do data controllers need to do now?
You need to start looking at your processor contracts and negotiating amendments to reflect the above. If processors are unwilling to make the changes, you need to look at other options including potentially (legally) terminating your relationship with them. If you continue to use processors who are not compliant with the UK GDPR, you risk a substantial fine because controllers are only permitted under the UK GDPR to use processors that “provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner the processing will meet the requirements of” the UK GDPR and “ensure the protection of the rights of data subjects”.
If you would like assistance with negotiating amendments to your processor contracts, or need advice generally on the UK GDPR, please contact us.
Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.