Charities and internal investigations
Under the GDPR, when a ‘data controller’ engages a ‘data processor’, the two parties must enter in to a written contract. Article 28 of the GDPR sets out what specific terms, as a minimum, must be included in such contracts. Such terms are required to ensure that the processor complies with the GDPR when processing the personal data in possession of the controller. Article 28 is a new requirement which did not exist under the Data Protection Act 1998 (the “DPA”), meaning that controllers who are currently compliant with the DPA will not necessarily have included these provisions in their processor contracts. These contractual terms must be in place when the GDPR comes into force on 25 May 2018. Controllers and processors will therefore need to review their existing contracts and revise them as necessary and, where no contract is in place, agree its terms before May 2018. The Information Commissioner’s Office (the “ICO”) has provided draft guidance concerning this issue (see here).
A ‘data controller’ is defined as a ‘natural or legal person or organisation which determines the purposes and means of processing personal data’. For example, an employer which stores its employees’ data on a cloud-based HR software platform.
A ‘data processor’ is a ‘natural or legal person or organisation which processes personal data on behalf of the controller’. For example, the provider of the cloud-based HR platform referred to above, which processes employee data on behalf of the employer.
Under Article 28.3 of the GDPR, a contract is needed when a controller uses a processor to process personal data, and whenever a processor employs another processor (a ‘sub-processor’). As such, the employer and the software provider must enter into a contract relating to the use of the platform referred to above. Similarly, the software provider must enter into contracts with any relevant sub-contractors (for example, a third party hosting the processor’s servers).
Under the GDPR, the following details and provisions must be specified in any data processing contract:
The contract between a controller and a processor must include the following information:
All contracts must provide that ‘the processor may only process personal data in accordance with the controller’s written instructions, unless required to do so by law’. In the event that the processor is required to disclose the data by law, the processor must inform the controller before disclosing it (unless the law prevents this for public interest reasons).
Contracts should include a provision obligating processors to obtain a commitment of confidentiality from anyone it allows to process the personal data (unless they are already under such a duty by law). Practically speaking, this means that the processor’s employees, temporary and agency workers and subcontractors engaged to process personal data, must enter into confidentiality agreements with the processor.
The processor must be subject to the same requirements as the controller in relation to keeping personal data secure. Article 32 of the GDPR sets out the ‘appropriate technical and organisational measures’ that both the processor and controller must take, including:
Processors must not employ sub-processors without the controller’s prior written consent, which can be given either generally or specifically. Using the example above, the provider of the cloud-based HR platform might wish to sub-contract with another party to perform the services on its behalf. Further, if a sub-processor is employed under the processor’s prior general written authorisation, the processor must inform the controller of any changes to that authorisation, and give the controller a chance to object. A processor must ensure that its contract with a sub-processor contains (at the very least) the minimum terms relating to processing of personal data required in contracts between controllers and processors. Ideally, these terms should mirror those agreed between the controller and processor, given that if the sub-processor fails to comply with the terms of the sub-contract, the processor remains liable to the controller for any loss suffered as a result of such non-compliance.
A relevant contract must include provisions obligating the processor to assist the controller in relation to a wide range of its obligations under the GDPR including, but not limited to:
The processor’s duty to assist is limited, however, by ‘taking in to account the nature of processing and the information available to the processor’.
Processors must also assist controllers by providing them with access to their data and assisting controllers with their obligations to data subjects under the GDPR, for example by providing data to data subjects following a subject access request. Under the GDPR, data subjects are entitled to have their personal data rectified or erased. A corresponding responsibility must now be included within controller/ processor contracts requiring processors to assist controllers who are dealing with such requests for rectification or erasure of a subject’s personal data.
All personal data must be deleted or returned at the end of the contract, as decided by the controller. The typical exception applies, however, where the processor is exempt from this obligation when required to retain the data by law.
The processor must submit to audits and inspections carried out by the controller (or one of its agents) which a controller may carry out to ascertain whether the processor is processing its data in accordance with the terms of the contract.
What to do next?
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
The COVID-19 crisis has forced sports clubs, schools, universities and charities to rapidly change their approaches to coaching, teaching and support work. The regulations on social distancing have forced organisations to innovate; services which had previously been offered mostly or wholly in person were rapidly shifted online during “lockdown 1” and will return online at least for the duration of “lockdown 3”. If the vaccine rollout has the desired effect there will no doubt be some return to “traditional” methods, but it seems very unlikely that the changes brought about by the pandemic will be completely reversed. In this blog, Claire Parry from Kingsley Napley’s Regulatory team and Fred Allen from the Public Law team look at the challenges organisations face engaging with children online.
It is now more than two years since the Data Protection Act 2018 and GDPR came into force, significantly increasing the enforcement powers of the Information Commissioner’s Office (ICO). With the passing of the Act, the ICO gained the power to issue fines amounting to millions of pounds and increased powers to bring criminal prosecutions against organisations who fail to comply with the data protection regime.
In late April we blogged about the NHSX developing a contact tracing app to help stop the spread of coronavirus and highlighted some of the privacy concerns that will need to be considered in the course of its development. Unfortunately, at the time of writing, the app is still yet to be released nationwide, although a beta version is being trialled on the Isle of Wight and development continues. In this blog we provide an update on the proposed functionality of the app and the privacy issues caused by that functionality which are delaying its release.
Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.
On 23 May 2020, it will be two years since the Data Protection Act 2018 came in to force. The Act was brought in to compliment and supplement GDPR, and significantly increased the ICO’s enforcement powers. In the build-up to its commencement, there was a flurry of speculation about how these new powers would be used. We now look at the how the ICO has used its enforcements powers in 2019 and highlights key considerations for businesses and organisations in 2020.
The Competition and Markets Authority (“CMA”) has today (18 December 2019) given the tech sector an early Christmas present by publishing its interim report on its market study, commenced earlier this year, into online platforms and digital advertising.
At the time of writing, it is possible that the UK could exit the EU on 31 October 2019 (“exit date”) without a deal which means immediately leaving EU institutions such as the European Court of Justice without an agreement over what happens next.
Monday night’s marathon session in Parliament saw a number of issues debated into the small hours and further defeats for the government. While many raised important political and legal issues, one of particular interest to information lawyers, followers of Parliamentary procedure and journalists alike was the endorsement of a “Humble Address” motion brought by former Attorney General, Dominic Grieve.
The Law Commission has this week made an important intervention in the world of anti-money laundering with its report on the Suspicious Activity Report (SARs) regime, including an analysis of weaknesses of the current system and a series of recommendations to make things streamlined, clearer and above all more workable
The Court of Appeal’s judgement in Forse & ors v Secarma Ltd & ors is an important case on springboard injunction applications in employee competition and team move cases. It is also a prime example of how WhatsApp messages can provide crucial evidence in such cases.
Any individual dissatisfied with the speed or content of an organisation’s response to a SAR will find it quick and easy to complain to your organisation or the ICO. This guide is intended to make responding to SARs as straightforward as possible.
Getting your black letter law data protection specialists to join your post-it wielding innovators on their bean bags might be challenging but it is important. Perhaps try breaking the ice with some table tennis and piano-led house music (a scientifically proven method).
EU leaders are due to meet today (1700 GMT) for an emergency summit dedicated to Brexit at which it is rumoured that they will grant an extension to the UK’s departure from the EU. The infographic below sets out the possible Brexit options and what this might mean for UK data protection law.
Focussing upon US companies considering their privacy policies and procedures in Silicon Valley and beyond, in this blog we consider the geographic scope of GDPR and the core business functions it impacts upon.
On 20 December 2018, the US Department of Commerce issued updated standards of compliance for participants in the EU-US Privacy Shield Framework (“Privacy Shield”) to continue receiving personal data from the UK in reliance on the Privacy Shield after Brexit (which is due to take place on 29 March 2019). By way of a reminder, Privacy Shield is a framework for protecting the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.
With the UK due to leave the EU on 29 March 2019, UK Parliament is working towards creating new regulations to ensure that the UK’s data protection standards will be equivalent to EU law post-Brexit. The UK would use this as the basis for securing an adequacy decision from the European Commission meaning that our legal framework is deemed to provide adequate protection for individuals’ rights and freedoms over their personal data. As discussed in our previous blog, this would facilitate cross-border transfers of personal data and business continuity as the UK aims to trade with the single market on equal terms.
The Information Commissioner’s Office (ICO) has commenced formal enforcement action against care homes that have failed to pay the data protection fee.
International transfers of personal data are instantaneous and constant. Everyday business functions such as uploading data files to the cloud or sending emails potentially involve transferring personal data across international borders. This is particularly relevant in today’s global economy where business functions are often outsourced overseas for operational and cost efficiencies.
The High Court has held that suspicious activity reports may amount to “personal data” for the purposes of the Data Protection Act 1998 (“DPA 1998”) and are potentially disclosable following a subject access request.
Two months ago, the introduction of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”) significantly changed our data protection landscape (see our related blogs). Reference to “GDPR” became a daily occurrence in shops and offices, and received daily attention on social media and in the press.
Skip to content Home About Us Insights Services Contact Accessibility