Information Commissioner publishes new guidelines on the contractual processing of personal data
In the new guidelines the Information Commissioner sets out and explains the mandatory components of personal data processing agreements that controllers must conclude with processors in accordance with Article 28 of the General Data Protection Regulation. The guidelines specify the provisions in respect of technical and organizational measures that must be contained in personal data processing agreements.
It is, therefore, not enough that the agreements contain a provision that the data will be protected in accordance with the Data Protection Act and General Data Protection Regulation. The technical and organizational measures should be clearly and specifically defined.
Furthermore, controllers are required to (at least) annually check the suitability of the behaviour of their processors. Checks may be carried out more often, and in accordance with the opinion of the Information Commissioner the frequency of such checks cannot be limited by way of a personal data processing agreement. In addition, the Information Commissioner clarifies the limits of contractual processing in cases where, in practice, in some subjects, depending on the service they provide, there is doubt as to whether they should be classed as processors or not.
Interestingly, when representing their clients, attorneys are not considered processors but controllers of the personal data obtained from their clients.