Requirement for a written contract with a processor
Data protection legislation requires that whenever you use a processor, you must formalise the working relationship in a written contract which sets out:
the subject matter, nature and purpose of the processing
the obligations and rights of the data controller
duration of the processing and
the types of personal data and categories of data subjects
The contract must also set out specific obligations on the processor, including that they:
comply with your instructions
are subject to a duty of confidentiality
keep personal data secure and notify you of any breach
maintain written records of the processing activities they carry out for you
only use a sub-processor with your consent
submit to audits and inspections and provide you with whatever information you need to ensure compliance with current data protection legislation
delete or return all personal data to you as requested at the end of the contract
As data controller, you are ultimately responsible for ensuring that personal data is processed in accordance with data protection principles.
However, if a processor fails to meet any of its obligations, or acts against your instructions, then it may also be liable to pay damages or be subject to fines or other penalties or corrective measures. You should consider the guidance the ICO provides on ‘Contracts and liabilities between controllers and processors’ in relation to your contracts with data processors.
Appointing data processors
Data protection legislation requires that you only appoint a processor that can provide sufficient guarantees that the requirements of the current data protection legislation will be met.
You should ensure that data protection is integral in any tender exercise (documenting your decision-making process) and that the requirements set out in our guidance are met in any contract awarded.
You should also ensure that your existing contractors or suppliers are aware of their obligations under the current data protection legislation, and that any existing contracts meet the requirements set out in our guidance.