The current obligations in respect of contracts between processors and controllers will be strengthened and adjusted by the GDPR so they are definitely worth familiarising with now.
Whenever a controller uses a processor they must have a written contract in place (as is currently but narrowly provided for). This contract is important in that both parties will have awareness of their responsibilities and liabilities. The GDPR clearly sets out what needs to be included in the contract. (Art 28)
The GDPR will provide that written contracts between controllers and processors are a general requirement, rather than just a way of demonstrating compliance with appropriate security measures. Currently, a controller is seen as carrying a disproportionate weight of responsibility for compliance when compared to their processor so the GDPR will seek to narrow this gap and sets out that these contracts must now include certain specific terms (Art 28 (3) a-h)). Further, these terms are designed to ensure that the processor’s relevant activity meets the requirements of the GDPR in the same way as the controller.
So the GDPR essentially elevates processors’ responsibilities and liabilities in their own right, therefore, processors as well as controllers can now be held liable to pay damages or be subject to fines or other penalties.
The GDPR also provides that a processor may be bound to an approved code of conduct, certification scheme or a standard contractual clause in support of a claim by a controller that they have demonstrated that they have selected a suitable processor (Art 28 (5-6)).
The GDPR allows for standard contractual clauses (once they are drafted!) from the EU Commission or a supervisory authority (such as the DPC) to be used in contracts between controllers and processors.
For an overview of what is a data controller or a data processor check out the European Commission information HERE
Creation and maintenance of contracts between Controllers and Processors can sometimes be tricky and unclear. If you would like me to have look at, or create a PCC for you, please contact Donnacha at:
Carter Anhold & Co., Solicitors (Sligo and Dublin) at +353 71 9162211