A few months before the entry into force of the General Data Protection Regulations (GDPR), many companies have already launched their compliance program. The compliance program, specific to each company, can vary significantly depending on the size of the company, its customer portfolio and its core business. That being said, there are inevitably several actions relating to contracts with its processors. This is due on one hand to an increased liability of the processor in the event of a breach of the GDPR and on the other hand to the obligation of the data controller to select only processors with sufficient guarantees with regard to the data processed.
This requirement inevitably leads to significant upheavals for the data controller in the way he collaborates and selects his processors. Indeed, this obligation implies a new management of the existing and future suppliers’ portfolio.
The first step consists in listing very precisely all the partners and processors who are required to process the personal data of your company’s customers or employees. For example, it will be necessary to register your HR software supplier, the service provider in charge of hosting your customer data or the service provider who handles customer complaints on behalf of your company. It is important not to underestimate the workload of this first task, as well as to the need to involve different actors. It is essential to involve at least the purchasing department, the legal department and/or compliance in this review of service providers and partners. Indeed, this task can be extremely time-consuming in companies that do not master the entire contractual cycle or have not yet provided dedicated space for storing their contracts.
Once this list has been established, the heavy task of reviewing the contracts binding you to these companies begins. This review is often an opportunity to note that there is not always a contract between you and your service providers. While it is often the practice to limit oneself to the validation of a purchase order or oral acceptance, these practices will not be consistent with the GDPR. Indeed, Article 28 of the Regulation specifies that the contract between the data controller and the processor must be in written form, including in electronic format. For these non-formalized agreements, as well as for existing contracts, it will then be necessary to update the clauses relating to personal data.
To help you in this task, here is the checklist of essential clauses to ensure compliance with the GDPR:
As data controller, it is your responsibility to ensure that the rights of individuals with regard to the protection of personal data are respected, even when such data are processed by a service provider. Also, this clause should provide that your processor undertakes to cooperate fully in order to respond within the time limit imposed by law to the requests of data subjects. The processor must therefore undertake to forward to you any request for the exercise of rights that may reach it directly and to execute within the time limits set, any request on your part regarding the implementation of a right. For example, if a data subject exercises his or her right to object to a processing operation carried out by your processor, the latter must stop processing as soon as he or she receives your request. It is also recommended to communicate your policy and/or procedure for managing people’s rights at the time of signing the contract.
This clause is one of the fundamental points of data protection since it makes it possible to define the level of security to be required from your processor according to the category of data and the nature of the processing operation. In addition, Article 29 also recalls that the processor is required to process personal data only on instructions from the controller. Thus, it is your duty to ensure that your processor implements the appropriate security measures for the personal data processed, as well as for the purpose of the processing. In practice, it should be verified, for example, that access to personal data is restricted only to persons authorised and trained in data protection issues or that security policies (including access management) are implemented. It is also necessary to provide for regular testing of these safety measures to confirm that they fully comply with the requirements of the regulation at all times.
Notification of personal data breaches to the supervisory authority is one of the major novelties of the GDPR. Indeed, the controller is now required to notify its supervisory authority of any data breach within 72 hours of the discovery of the breach. When the controller uses a processor, he must ensure that the latter will cooperate fully in order to comply with this obligation. It is important to remember that in the event of failure to comply with this specific obligation, the processor may be held liable and may be subject to the same sanctions as the controller. This is an argument to be put forward when negotiating with processors who are often reluctant to accept this obligation. This clause must provide that the processor has put in place all the technical measures enabling it to detect the breach of personal data, to trace it back to you within a very short period of time so that your company is able to notify the supervisory authority within 72 hours. It is also necessary to anticipate and organise situations where the breach is likely to create a high risk for the rights and freedoms of the data subjects, since it will then be mandatory to inform these persons of the violation of their personal data.
Very much governed by the GDPR, transfers outside the European Union are also to be framed in the contract. It is recommended to restrict these transfers as much as possible. However, as more and more processors are operating from outside the European Union, it is difficult in practice to completely prohibit such transfers. It will then be essential to require its processor to submit to you in advance a list of the countries in which the data will be processed. For example, a data storage provider will have to indicate the countries in which its servers, including its secondary servers, are stored. The controller must, at a minimum, obtain a guarantee that the processor will only transfer the data to countries previously approved by you. In addition, such transfers outside the European Union also imply for the controller the need to inform data subjects.
The audit clause, often neglected to the detriment of security clauses or notification of personal data breaches, is nevertheless an important data protection clause. Indeed, the audit makes it possible to verify that the measures put in place at the processor’s premises are correctly applied and, above all, if they are adapted to the personal data processed. It is recommended to plan at least one audit per year on site or remotely and to organise the modalities and potential consequences of this audit, in particular the audit costs, duration, notice period, measures to be adopted following the results of the audit, etc. It is also recommended to recall in this clause that a negative audit result may lead to the termination of the contract because compliance with data protection obligations is an essential obligation of the contract.
Other clauses may also be added depending on the criticality of the data and the processing carried out by the processor, in particular the clause allocating responsibility between the parties in the event of a sanction or the clause organising the destruction or return of the data at the end of the contract. All these clauses must obviously be adapted according to the company’s activity, as well as according to the processor. Once these obligations have been incorporated into contracts with processors, the laborious negotiation stage then begins.