Seminar 17 - Data Processing Agreements Flashcards
Is a DPA a requirement?
Yes. The GDPR makes written contracts between controllers and processors a general requirement, rather than just a way of demonstrating compliance with the seventh data protection principle (appropriate security measures) under the DPA.
What are the key changes to make in practice? What do we need to do with regards to dates?
Any contracts in place on 25 May 2018 will need to meet the new GDPR requirements.
When is a contract needed? DPA. And where is that in GDPR?
- Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place.
- Similarly, if a processor employs another processor it needs to have a written contract in place. Sub-processor.
Art. 28.3.
Why are contracts between controllers and processors important?
- ensure that they both understand their obligations, responsibilities and liabilities;
- help them to comply with the GDPR;
- help controllers to demonstrate their compliance with the GDPR; and
- may increase data subjects’ confidence in the handling of their personal data.
Overall: The contract should set out what the processor is expected to do with the data.
What details about the processing must the contract include?
- the subject matter;
- how long it is to be carried out for;
- what processing is being done;
- its purpose;
- the type of personal data;
- the categories of data subjects; and
- the obligations and rights of the data controller.
Can standard contracts clauses be used?
• The GDPR allows standard contractual clauses from the EU Commission or a Supervisory Authority (such as the ICO) to be used in contracts between controllers and processors. However, no standard clauses are currently available.
What is the controller’s liability when it uses a processor?
As a data controller you are ultimately responsible for ensuring that personal data is processed in accordance with the GDPR.
What responsibilities and liabilities do processors have in their own right?
- A processor must only act on the documented instructions of a controller.
- If a processor determines the purpose and means of processing (rather than acting only on the instructions of the controller) then it will be considered to be a controller and will have the same liability as a controller.
Who is liable if a sub-processor is used?
The sub-processor has the same direct responsibilities and liabilities under the GDPR as the original processor has.
If a sub-processor is used and someone makes a claim for compensation - who is responsible/liable?
Then there are potentially three liable parties: you as controller, the original processor, and the sub-processor.
Name an example of a sub-processor?
The readers of a monthly science magazine receive a hard copy delivered to their home. The subscriptions are handled by a company which is separate from the magazine publisher. Rather than arranging the mailings itself, the subscription company uses a different company as sub-processor to administer the mailing list and arrange the mailings to subscribers.
Name an example of a processor?
A marketing company sends promotional vouchers to a hairdresser’s customers on the hairdresser’s behalf.
