A contract with a data processor is essential in order to remain compliant with the regulation, there are specific requirements for any contract including contractual clauses which need to be present in order for it to be compliant. These are summarised as:
- The processor should only process personal data on documented instruction from the data controller, including transfers to a third country.
- The processor should ensure that those authorised to process the personal data are committed to confidentiality.
- The processor should take all measures required to meet the security requirements of the personal data and taking appropriate technical and organisational measures.
- The processor should not engage with another processor without prior specific written authorisation from the controller and they should ensure the other processor protects the data in the same way as stipulated in their own contract.
- The processor should assist the controller in ensuring its own technical and organisational measures are in place, in particular by ensuring the controller can respond to data subject’s rights.
- The processor should assist the controller in ensuring security and the assessment and management of any security breaches.
- The processor should return the personal data to the controller at the end of the contract (if so required by the controller).
- The processor must make available to the controller all information necessary to demonstrate compliance with the articles of GDPR.
If any of the above contractual clauses are absent from a contract, then it is recommended that a new contract or contract addendum is sought to ensure that the relationship is compliant.
How can ProvePrivacy Help?
ProvePrivacy allows RoPA users to add all contracts as part of the Data Sharing Assessment, all of the above clauses are noted within this assessment and if any are identified as absent then a risk will be added to the risk log.