Sometimes, an organisation will need to engage the services of a sub-contractor or agent to process personal data on its behalf.  Such an agent is termed a 'data processor' under data protection law. For example, a company may wish to engage the services of a payroll company to deal with their payroll issues. The employer is the data controller and the payroll company is the data processor.

Where a data controller engages the services of a data processor, it must take certain steps to ensure that data protection standards are maintained in line with Article 28(3) of the General Data Protection Regulation (GDPR). Before the start of the processing operations, data controllers and data processors must enter into a written legally binding agreement in order to define their respective roles and responsibilities in the context of their business activities. Such agreement is usually in the form of a contract and should, at a minimum set out:

• The subject matter;
• Duration, nature and purpose of the data processing;
• The type of personal data being processed;
• The categories of data subjects whose personal data is being processed;
• The obligations and rights of the controller and certain specific obligations of the data processor.

For example, the processor shall be obliged to:

• Only process personal data on documented instructions from the data controller;
• Ensure that authorised persons are bound by confidentiality obligations;
• Take all appropriate security measures;
• Respect the conditions for engaging sub-processors;
• Assist the data controller in the fulfilment of their obligation to respond to requests for exercising data subjects’ rights, and their accountability obligations.

The obligations of the data processor should be as detailed as possible in order for the agreement to be a meaningful accountability tool. Informal arrangements are neither appropriate nor acceptable in circumstances where personal data is involved.

For more information, read our Practical Guide to Controller-Processor Contracts. This guidance sets out the key points for consideration in line with Article 28(3) of the GDPR.