Introduction to this document
GDPR data processor clauses
If you use any third-party processors to handle employees’ personal data, you must by law include a number of key written terms governing data protection in the commercial contracts you enter into with them.
Processor obligations
As an employer, you’re a “controller” in relation to your employees’ personal data. However, you might also engage one or more third-party service providers, e.g. outsourced payroll or IT services and pension scheme or staff benefits providers. If they process any employees’ personal data on your behalf, they’re a “processor” and the UK GDPR imposes significant direct obligations on them that they’ll need to ensure they comply with.
Contractual requirements
However, don’t assume this is none of your concern because, where you’re the controller, the UK GDPR specifically requires that you must include certain terms in the written contracts that you put in place with your processors. Firstly, you must only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that their processing meets the UK GDPR’s requirements and ensures the protection of data subjects’ rights. Secondly, the written contract with your processor must set out: (a) the subject matter and duration of the processing; (b) the nature and purpose of the processing; (c) the type of personal data processed; (d) the categories of data subjects; and (e) your rights and obligations as controller. On this latter issue, your written contract must stipulate that the processor will:
- process the personal data only on your documented instructions
- ensure that the personnel they authorise to process the personal data have committed themselves to confidentiality
- implement appropriate technical and organisational measures to ensure a level of security for the personal data they process which is appropriate to the risk
- implement appropriate measures to assist you in complying with your obligations to respond to requests by data subjects to exercise their rights and in ensuring compliance with your data security, notification of data breaches and data protection impact assessment obligations
- not engage any subprocessors without your prior written authorisation
- at your election, either delete or return to you the personal data, and delete existing copies, at the end of the contract, unless the law requires storage of the data
- make available to you all information necessary for you to demonstrate compliance with the UK GDPR’s requirements relating to engaging processors and contribute to audits, including inspections, that you either conduct yourself or that you mandate an auditor to conduct.
Our GDPR Data Processor Clauses can be inserted into your contracts as required. They incorporate all the above requirements. We’ve assumed in our clauses that you’re not willing to allow your processors to engage subprocessors.
Document
04 Jan 2019