Data Controller and Data Processor Contracts - Part OnePosted in : Business Legal on Data Security on 11 May 2017
In the third video of this series (you can watch the first video here and the second video here), David Fagan examines the contractual level of control that may be required to effectively manage and control data in instances when an organisation outsources the processing of its data. David considers the implications of limiting a contract with a Data Processor to comply with basic legal requirements.
* Want to know how you can train everyone in your organisation on Data Protection, in just a few simple steps? Legal-Island offer a Data Protection Elearning training solution, specific to organisations in Ireland. Please contact a member of our eLearning team on 01 4013874 or firstname.lastname@example.org to find out more.
Legal obligations of a Data Controller
When a data controller wants to outsource the processing of its data, say for example, someone having their payroll done by another organisation, there are certain legal obligations on the data controller (the person who owns the data), there are some required terms, and there are some terms which are just sensible, but not legally required.
For example, by law the contract must be in writing or equivalent form. I've never really understood what ‘equivalent form’ means but, in essence, it must be in writing and, I guess, permanent in some way. Perhaps a contract by video might be ‘equivalent form’.
The obligations of a Data Processor
Secondly, the data processor must only act on the data controller's instructions. So when you send your data to your payroll provider, you don't expect him to use that data for some other purpose other than calculating your staff's wages.
The data processor must keep the data as secure as if it were their own. In essence, there are obligations imposed on you, as a data controller, to keep the personal data that you hold safe and secure. Similarly, when the data processor is processing that personal data on your behalf, it has the same obligation to keep that data safe and secure.
Security guarantee and the written contract
Lastly, the written contract must provide that the data processor provides guarantees of that security and of its processing only on your behalf. That's a funny word because people don't like giving guarantees and sometimes it's impossible to get those guarantees from a data processor.
Don't fall into the trap of thinking that the data controller is a large organisation or the data processor is a small organisation. If Microsoft is processing your data then the chances are that Microsoft is a much larger organisation as ‘processor’ than you are as ‘data controller’ for example.
Responding to queries from the Data Protection Commissioner
What does that mean in practice? Well, I suppose keeping it safe probably implies that you have a right, perhaps, to inspect or audit the data processor. Certainly, if you're getting some form of guarantee, it's hard to see how you would enforce that guarantee unless you could have some form of implied right of inspection or audit. However, it's very difficult to get an organisation to actually agree to this.
Perhaps you want the data processor to assist you with any queries you have from the Data Protection Commissioner, or any queries that you have from the data subjects. That is, the people that the data is about. You'd like to think that when you give your information to a payroll processor, if there's a query, that the payroll processor will answer that query.
If there's a query from your staff member about his or her data, you'd like to think that the payroll provider would answer that question for you, but, of course, that's a matter of contract. What have you agreed with them?
Breach of data processing rules
If there's a breach of data processing rules, for instance, if they've mislaid or accidentally deleted some data or if they've been hacked, you'd like to know. Again, you might wish to put this in your controller-processor contract. You might want a warranty from them regarding their staff training and, of course, they may simply say, "No, we're not giving any such warranty." But it's something that you might consider looking for.
If they are going to transfer that personal data that you have given them to a third party for further processing, a sub-process as it were, you might want to know about that. You might want approval over that.
Transferring personal data
If they propose to transfer your data, your personal data of your staff outside the jurisdiction, you might want to have prior approval of that. You are, after all, liable as controller for all of these things. That processor's liability is simply to keep the data safe and secure and to act on your instructions.
You might wish to, for instance, monitor the activities of some subcontractor. If the data is being transferred from your organisation in Dublin to a payroll provider also in Dublin, but then to their subsidiary in India, you might want some level of control contractually over that.
What does this mean in practice? Well, I suppose in practice it means that your control over your data processor is going to be very limited if your contract is limited to just the things that are legally required. That is to say, that they are required to act only on your instructions and that they are required to keep the data secure.This article is correct at 11/05/2017
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.