GDPR Controller/Processor Agreement Policy
GDPR Toolkit Version 4 ©CertiKit
GDPR Controller/Processor Agreement Policy
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document provides guidance about the information that needs to be added to an agreement to cover the requirements of the GDPR.
Areas of the standard addressed The following areas of the GDPR are addressed by this document: Article 28 - Processors
General Guidance At the date of this version of the toolkit, there are no standard contractual clauses available that have been approved by the EU. Therefore, the information provided in this document should be used with caution; it is based on our understanding of what is required but should be reviewed by a qualified law practitioner before relying upon it in a contract.
Review Frequency We would recommend that this document is reviewed whenever additional guidance is published by the EU or your local supervisory authority.
Toolkit Version Number GDPR Toolkit Version 4 ©CertiKit
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon)
Version 1
Page 1 of 10
[Insert date]
GDPR Controller/Processor Agreement Policy
3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document
Version 1
Page 2 of 10
[Insert date]
GDPR Controller/Processor Agreement Policy
templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 10
[Insert date]
GDPR Controller/Processor Agreement Policy
[Replace with your logo]
GDPR Controller/Processor Agreement Policy
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 10
GDPR-DOC-06-1 1 [Insert date]
[Insert date]
GDPR Controller/Processor Agreement Policy
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 10
Date
[Insert date]
GDPR Controller/Processor Agreement Policy
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
GDPR CONTROLLER/PROCESSOR AGREEMENT POLICY ......................................................... 8 2.1 INFORMATION TO BE SPECIFIED ................................................................................................................ 8 2.1.1 Subject matter and duration of the processing ............................................................................... 8 2.1.2 Nature and purpose of the processing ............................................................................................ 9 2.1.3 Type of personal data and categories of data subjects ................................................................... 9 2.1.4 Obligations and rights of the controller ......................................................................................... 9 2.2 CONTRACTUAL TERMS TO BE INCLUDED .................................................................................................. 9
Version 1
Page 6 of 10
[Insert date]
GDPR Controller/Processor Agreement Policy
1 Introduction [Organization Name] is committed to protecting the personal data of its employees, customers, suppliers and other stakeholders and to ensuring its compliance with all relevant legislation. As part of its business, [Organization Name] relies upon a number of third party organisations to assist in providing a high level of service to its customers, in reaching new markets, and in looking after its employees, amongst a wide range of other activities. The European Union (EU) General Data Protection Regulation (GDPR) places obligations on a controller of personal data to ensure the protection of that data when they are processed by a third party i.e. a processor. In forming a controller/processor relationship, the GDPR is quite specific about the fact that a contractual agreement must be in place between the two parties, and that it should specify key items of information about the personal data involved and how it is processed. This policy document sets out the information that must be included in contracts that involve the processing of personal data. The following related documents are relevant to this procedure: • •
• •
Data Protection Policy Processor GDPR Assessment Procedure Procedure for International Transfers of Personal Data Data Subject Request Procedure
Version 1
Page 7 of 10
[Insert date]
GDPR Controller/Processor Agreement Policy
2 GDPR Controller/Processor Agreement Policy It is a requirement of all existing and new contractual agreements between [Organization Name] and third parties where personal data is shared or processed, that specific information is detailed and data protection-related contract terms are included. The contract must be legally binding on the processor for it to be compliant. The following sections set out the information that is required and the terms that must be included. Important Note Note that the exact wording of the data protection clauses may vary in each individual contract and that each amendment to an existing contract or creation of a new contract must be subject to review by a qualified legal practitioner with knowledge of the legal framework in the country or countries involved. The GDPR allows a small number of derogations (or variations) that a member state may make and which may affect the wording used. The GDPR makes provision for the EU and individual supervisory authorities to publish standard contractual clauses (see Article 28 – Processor, points 6,7,8) although, at the current version of this policy document, none have so far been published. The website of the supervisory authority must be consulted on a regular basis to check whether this situation has changed.
2.1
Information to be Specified
The following information about the processing of personal data must be included in each contract for it to be GDPR-compliant. This information must be specific to the individual contract and must describe the processing in clear terms i.e. generic descriptions with a wide interpretation must not be used. 2.1.1 Subject matter and duration of the processing The topic or area that the processing is concerned with should be described, together with an indication of the period of time the processing should continue for. A simple example could be “the creation and despatch of marketing materials for a period of one year from the date of contract.� This gives a clear indication of the area the personal data are intended to be used in and for how long they should be kept. The processor is therefore not permitted to use the data for any other purpose and cannot retain the data for longer than is contractually agreed.
Version 1
Page 8 of 10
[Insert date]
GDPR Controller/Processor Agreement Policy
2.1.2 Nature and purpose of the processing Describe what the processing consists of and the intended reasons for it. A simple example of the nature of the processing could be “the printing of address labels from a list provided by [Organization Name], the attachment of the labels to physical mailing pieces and their dispatch to the recipient.” Similarly a simple example of the purpose of the processing could be “communication of our product information to individuals who have requested it.” Again, this information is intended to make it clear how the personal data will be used and why. 2.1.3 Type of personal data and categories of data subjects The personal data involved in the processing must be described as clearly as possible, partly in order to give an indication of its level of sensitivity, particularly if special categories of data (e.g. genetic and biometric data) are involved. Information about the groups of data subjects that the personal data refers to must also be given, in as much detail as is available or appropriate. A simple example could be “name and address of individuals who have requested product information”. 2.1.4 Obligations and rights of the controller The controller of the personal data must comply with the GDPR and must therefore require the processor to recognise and agree to specific terms that set out how they will assist the controller in remaining within the law. These terms are described in the following section.
2.2
Contractual Terms to be Included
The GDPR requires that the controller specify a set of minimum terms related to data protection in the contract. These require that the processor: •
processes the personal data only on documented instructions from the controller
•
ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
•
takes all measures required pursuant to Article 32 of the GDPR (see Note 1)
•
respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor (see Note 2)
Version 1
Page 9 of 10
[Insert date]
GDPR Controller/Processor Agreement Policy
•
assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR (see Note 3)
•
assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (see Note 4)
•
at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
•
makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR (see Note 5) and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller
Notes 1. Article 32 – Security of processing requires both controllers and processors to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (to the rights and freedoms of natural persons)”. The level of risk may be evaluated from a data protection impact assessment and therefore the extent of security controls required will vary across contracts. These may include the use of encryption, backup systems and other techniques to provide an appropriate level of confidentiality, integrity, availability and resilience of the system that are used to process personal data. 2. These conditions dictate that the processor may not engage another processor (sub-processor) without the prior authorisation of the controller. In cases where another processor is engaged, the sub-processor must be subject to the same contractual terms as described in this policy. 3. Chapter III – Rights of the data subject sets out the information that must be provided to the data subject and the types of request they may make to the controller. These include the right to access their personal data, have it erased and object to them being processed. 4. Articles 32 to 36 address the areas of security of processing, personal data breaches and data protection impact assessments. 5. Article 28 – Processor is the main article that addresses the contractual requirements of the GDPR and is largely the subject of this policy document.
Version 1
Page 10 of 10
[Insert date]