This is not ‘just another’ GDPR article – we promise! Now that the dust is settling after the deadline for GDPR compliance, we’ve spent some time taking stock of the typical issues we’ve had to confront in negotiating data protection terms in light of the new regulations. This article highlights some of the issues we see coming up time and again for customers of services and offers some suggestions for dealing with them based on what we have seen work in negotiations over the course of the last year. 

1. Unapproved Use of Sub-processors 

Under Article 28(2) of the GDPR, a data processor shall not engage another processor without the prior specific or general written authorisation of the controller. Although a general authorisation could be interpreted to mean that the processor does not need to share a list of its sub-processors at the outset, the controller should still be provided with notice of, and an opportunity to object to, any additional or replacement sub-processors. Preferably, a customer would instead push to include a list of the possible sub-processors that will be used for the services. This list should be included as an appendix to the overarching contract. Then, if any changes to this list are made, the processor must inform the controller before that new sub-processor is engaged to process a customer’s personal data. Although this may be argued to present practical difficulties, we have seen some large suppliers willing to agree to this. 

Suppliers, acting as processors, often insist on general consent to engage sub-processors in the course of performing the services. Where general consent is given, the data processor is obliged to inform the controller of any intended changes to sub-processors under Article 28(2). This gives the controller the opportunity to object to the changes. The parties are then expected to resolve the issue – for example using another sub-processor or, if the supplier insists on the ability to use that sub-processor, permitting the controller to terminate the contract. Often the data processor will include a provision that allows it to continue to use the sub-processor, which is the subject of the objection, until the parties find a way to deal with the controller’s objection. This clearly undermines the intention of GDPR to give the customer control over how its data is processed and by whom. It also conflicts with the general principle of a data processor being required to act on a data controller’s instruction.

If a customer does object to the use of a particular sub-processor, and the parties cannot find a suitable workaround, we suggest that the customer should have the right to terminate the agreement in question and be entitled to a refund of any fees or charges paid upfront for the period after the effective date of termination. A supplier would generally push to limit any termination right to only the affected service. However, this is often an issue for customers as the whole of the service could be affected if the affected service is an integral piece of the overall service offering. For this reason, the decision as to whether the agreement is terminated in whole or in part should sit with the customer.

2. Notification of data breach

Under Article 33(1) of the GDPR, a controller must notify the supervisory authority of a personal data breach within 72 hours of becoming aware of the breach. There is a notable tension with this provision and Article 33(2) which requires the processor to notify a controller of a personal data breach without undue delay. Arguably, where the personal data breach emanates from activities undertaken by the processor, the 72-hour time period imposed on the controller would only run from the time when it is notified by the processor. However, we suggest that it would be prudent for the customer (as controller) to specify in the contract the time period for the processor to notify the customer of the breach e.g. 24 or 48 hours. This would then allow the breach to be actioned and notified to the supervisory authority as expeditiously as possible. 

3. Deletion of data on termination/expiry

Article 28(3)(g) requires that the processor delete or return all the personal data to the controller once the service period relating to processing ends. The processor must also delete existing copies of the data unless applicable law requires the storage of the personal data. The choice as to whether to delete the data or instead return the data lies with the controller. A supplier may stipulate that it will delete or return the personal data, however, this should really be at the controller’s option. The processor would then be required to act on the controller’s instructions and this should be provided for in the contract. As an aside, it is also important to think about the instances where applicable law would require the continued storage of data, for example, where personal data is processed for scientific or historical research, statistical purposes or for archiving purposes in the public interest.

4. Suitable audit right

Under Article 24(1) of the GDPR, and taking into account the nature, scope, context and purposes of processing, the controller is required to implement appropriate technical and organisational measures to ensure that processing is performed in accordance with the GDPR. To be able to demonstrate this (as the GDPR requires), it is vital that the controller has adequate rights to audit any processor who processes its personal data, particularly as Article 28(3)(h) requires that the processor makes available to the controller all information necessary to demonstrate compliance with its obligations and allow for and contribute to audits, including inspections. In order to avoid doubt as to the level of engagement required by the processor in such circumstances, we would suggest that an express audit right be included in the contract which sets out the level of participation and involvement required by the processor in the event that the controller conducts an audit.

5. Suppliers requiring compensation for compliance

We’ve seen a number of instances where suppliers include a contractual provision requiring the customer to compensate the supplier for the supplier’s efforts in meeting customer’s GDPR compliance requirements. The argument used to justify this is that the supplier is incurring additional costs to satisfy the customer’s GDPR compliance requirements and in some instances, these go beyond what is actually required of the supplier under the GDPR itself. 

The concern here is that if a customer has to compensate a supplier for basic GDPR compliance, then that customer is essentially paying double the compliance cost because the customer, as data controller, is also bearing the cost of its own compliance requirements. As a general practice, we suggest that a customer resist paying for any express obligations imposed on the supplier as data processor under the GDPR. If, however, the customer’s requirements impose obligations on the supplier over and above the basic GDPR requirements then the parties can consider some form of reasonable compensation (if necessary). This compensation should take into account the actual and demonstrable additional cost for the supplier to meet the additional obligations. 

Bronwyn Simpson and Tasleema Dramat

January 2019

The information and views contained in this article do not constitute legal advice. If you do require legal advice please contact us on info@lighthouse.law