GDPR – Data Controllers & Data Processors
Reasons to choose Wilson Browne
Where two businesses enter into a contract, and a ‘data controller/data processor’ relationship has been created, the GDPR requires specific terms to be written into the terms of the agreement.
The contract will, for instance, need to ensure that the data processor:
- only processes personal data in accordance with the data controller’s instructions;
- and its employees, sub-contractors and other third parties keep the personal data confidential;
- provides assistance to the data controller in taking appropriate measures to keep the personal data secure;
- provides assistance to the data controller when it responds to data subject requests; and
- deletes and returns all personal data to the data controller at the end of the contract where required to do so.
This is not a comprehensive list of the GDPR requirements but instead highlights the fact that businesses have legal obligations to bear in mind when entering into contractual arrangements involving the transfer of personal data. As commercial solicitors, we often find that these requirements are still overlooked in business agreements, caused in many cases by a lack of awareness, and misconceptions as to what constitutes a data controller/data processor relationship.
A data controller/data processor relationship arises where the business arrangement involves the transfer of personal data from one party (the data controller) to another (the data processor). A business, for example, signing a contract with a payroll company to pay each employee’s wages will involve the disclosure of employee personal data, causing GDPR to apply.
Matters become slightly more complicated where there is a debate over whether the party is a data controller or data processor. In general, the data controller is the party ‘controlling’ the way in which personal data is processed. A data processor by comparison processes the personal data in accordance with the data controller’s instructions. It is important that these distinctions are ascertained at the start of the business relationship in order to maintain compliance with GDPR and the requirements set out above.