The French DPA (CNIL) and Spanish DPA (AGDP) have issued two guides for data processors, namely “Règlement européen sur la protection des données : un guide pour accompagner les sous-traitants” and “Directrices para contratos responsable – encargado” respectively. Furthermore the English DPA (ICO) has published a draft gdpr contracts guidance.
These have a positive impact on who is trying to comply with GDPR, for the following reasons:
- GDPR improved the 95/46 Directive foreseeing obligations for data processors, but is addressed chiefly to data controllers, and data processor role is dealt with only in few articles (mainly art. 28). The data processor definition itself is data controller related “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller“
- It is not trivial to determine when an outsourced service falls in the data processor definition or the company performing the service is a data controller itself. The art. 29 WP Opinion 1/2010 on the concepts of “controller” and “processor” is a reference source.
- The appendix of the guides offer an authoritative example of the contractual clauses for the agreement between data controller and data processor: this is very valuable for organization in their effort to be ready for May 2018 deadline: revisiting all contractual obligation is a time consuming task for both data processor and data controller. Often a service company is in both roles, specifically in a cloud environment.
In the attachment is my own Italian translation of the Appendix to CNIL document.
Another source is the International Regulatory Strategy Group example of contractual clauses