GDPR and outsourcing contracts

GDPR hunArticle 28 of the GDPR requires data controllers to deal with partly new issues identified in a long list in their contracts concluded with data processors. The purpose of the new contractual arrangements is to ensure the protection of individuals whose data are the subject of outsourcing. The risk of data handling is shared by the data controller and the data processor.

From the point of view of data controllers and processors, this also means that they have to reconsider the outsourcing contracts and the previously used business model.

GDPR significantly extends the list of contractual obligations imposed on the data processor. This increase in obligations can be divided into three main categories: obligations
•    imposing technical and organizational measures on the data processor,
•    increasing communication between the data processor and the controller,
•    arising from risks due to “non-compliance” during the performance of the.

1. Technical and organizational measures

The data controller can only entrust a service provider with data processing that can provide reasonable assurance that it will introduce technical and organizational measures that meet the requirements of GDPR and ensure the safe handling of data.

This means that the data controller shall virtually carry out a due diligence examination on the potential data processor prior to the conclusion of a contract, and the contract shall include and detail the technical and organizational measures that the data processor has already introduced or is about to introduce.

Monitoring the data processing activity:
According to the contract, the data processor shall document the data processing activity. A record of the data processing activity carried out on behalf of the data controller shall be kept. Perhaps it is needless to say how much this will increase the administrative burden.

A confidentiality clause should also be included in the contract in which the data processor ensures that the personal data is handled confidentially.

The data processor shall ensure an adequate level of data protection.

Along with the completion of the data processing service, the data processor shall ensure that the personal data are deleted or returned to the data controller.

2. Communication requirements

The data processor may not entrust another data processor as a subcontractor without the prior written consent of the data controller. In the case of subcontracting, the data processor shall ensure that the subcontractor applies the same data protection rules as the data processor agreed on with the data controller. The data processor is responsible for the mistakes of the subcontractor.

The data controller shall oblige the data processor to act according to his/her instructions. The data processor shall immediately inform the data controller if s/he finds that an instruction violates the laws of the GDPR or the Member State. According to the GDPR, if a data processor determined the purpose and means of the processing activity without following the relevant instructions of the data controller, the data processor shall be regarded as a data controller in that capacity. The contract shall specify exactly what constitutes a data controller’s instruction (which policies, procedures are considered to be instructions, who are entitled to give instructions, etc.). Specifying who will bear the extra costs of changing the instructions should also be provided for.
The data processor shall cooperate in fulfilling the data controller’s obligations. The contract shall include the procedural requirements that shall be followed for requests for the processing of personal data.

The data processor shall immediately notify the data controller whenever s/he has been aware of any breach of the rules governing the processing of personal data. The data processor shall provide the data controller with all the information necessary to verify the fulfillment of his/her obligations, and allow the inspectors or the auditors appointed by the data controller to inspect them. For this reason, the contract should include a section on the levels affected by such an inspection and who will bear the costs thereof.

gdpr news3. Sharing risks

Liability and compensation rules arising from breaches of the GDPR shall be contractually stipulated. It is necessary to determine who is to bear the risks in various cases of breaches of the obligations set out in the GDPR.
Data controllers and data processors have to face the following risks from failure to comply with the GDPR regulations:

4% of global sales revenues of the previous year or 20 million Euros.

Claims for damages:
Both material and non-material damages may be claimed by the persons concerned due to the breach of data handling..

Other sanctions:
Surveillance authorities are supposed to have other sanctions, but we do not have insight into this in the absence of local regulations.

What are the most important things to do

1. It needs to be understood what this is all about, why it is important and what the risks are if an organization does not deal with it.
2. The processes involved shall be identified as soon as possible and, if necessary, make them compliant with the GDPR.
3. Existing contracts should be reviewed if they comply with the GDPR.
4. The conditions for the traceability of the data processing activity shall be ensured.
5. It is necessary to review the rights to access the data within the organization, whether they are in digital or paper-based documents.
6. It is necessary to examine whether the data controller and the data processor have adequate liability insurance for the management of the risks involved.
7. Organizations should introduce rules on data handling and provide for the training of the employees.
8. Other tasks related to the organizations or the activities.