The UK’s Information Commissioner (ICO) has published draft GDPR guidance on contracts and liabilities between controllers and processors. The draft guidance is currently open for consultation, with responses due by 10 October 2017.

The purpose of the guidance is to help organisations understand what needs to be included in written contracts between controllers and processors under the General Data Protection Regulation (GDPR). It also looks at the responsibilities and liabilities of controllers and processors.

Written contracts

Under the GDPR, a written contract must be in place when a controller uses a processor to process personal data. This is not a new concept, as data processing agreements are already used to satisfy the security requirements under the Data Protection Directive (95/46/EC). The GDPR, however, is wider in scope and now sets out specific terms that must be included in such contracts; for example, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data to be processed, the categories of data subjects, and the obligations and rights of the controller. See Article 28.3 of the GDPR and page 12 of the draft guidance for further details.

The GDPR also allows for the use of standard contractual clauses issued by the European Commission or supervisory authority (such as the ICO), and approved codes of conduct or certification schemes which processors can sign up to; however, these are not available yet.
Continue Reading ICO publishes draft guidance on contracts and liabilities under the GDPR