A recent decision involving the EU General Data Protection Regulation (GDPR) in Poland has highlighted the increased responsibilities on organisations to protect any personal data that they hold on behalf of individuals. This case highlighted in particular the necessity of having a written contract in place covering certain data protection matters where one organisation is processing personal data on behalf of another.

The circumstances of this case involved an organisation - acting in the capacity of a data controller, passing data onto another organisation - acting in the capacity of a data processor, to aid with the maintenance of accounting books, records and preparation of reports in relation to finance, taxation, and Social Security. This was done without having a written contract in place detailing the arrangement and how the transferred personal data was being handled.

Polish Supervisory Authorities found that the organisation, acting as the data controller, had failed to comply with GDPR and imposed an administrative fine. The reason for the failure was because of the absence of a written contract and lack of verification as to whether the data processor had provided sufficient guarantees to implement appropriate technical measures to protect the personal data.  

So what are data controllers and data processors?

Data Controllers and Data Processors

A data controller determines the purposes for which and the means by which personal data is processed. For example, an organisation that decides ‘why’ and ‘how’ personal data should be processed is a data controller.

A data processor processes personal data only on behalf of the controller. It is usually a third party external to the company which has been outsourced tasks by the data controller.

Data processing is defined as any action performed on data, whether automated or manual. Examples include collecting, recording, organising, structuring, storing or using data. This is therefore a wide definition which includes basically any interaction with an individual’s personal data. This could cover situations where, for example, RSLs appoint suppliers to carry out services for them and the RSL provides them with personal and/or sensitive data about its customers and/or employees.

Written Contracts

As highlighted by the above decision, GDPR compliance requires data controllers to have a written contract in place with any parties that act as a data processor on their behalf. This contract must cover certain data protection matters such as the processor:

• agreeing to process personal data only on written instructions of the controller
• ensuring that everyone who comes into contact with the personal data during the processing is committed to confidentiality
• taking all appropriate technical and organisational measures to protect the security of the data
• agreeing to not subcontract to another processor unless authorised to do so in writing by the controller (in which case another written contract will need to be signed with the subcontractor covering certain data protection matters)
• helping the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights
• helping the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing)
• agreeing to delete all personal data upon the termination of services or return the data of the controller
• allowing the controller to conduct an audit and will provide whatever info necessary to prove compliance.

Details of what personal data is being processed and why also needs to be included in the contract.

Do I Need a Written Contract?

Written contracts are required to formalise the working relationship between data processors and data controllers. A contract will not be required where parties are simply exchanging personal data.

It is therefore important to establish that a data controller-processor relationship exists in order to determine whether a written contract is necessary.

For RSLs, this may include, but is not limited to, situations such as:

• Any services/repair contracts that you have with third parties where you supply them with tenant’s personal information e.g. their name and home address
• Where you appoint another organisation to carry out surveys on tenants/staff; and
• Software contracts

If you, or anyone in your organisation, requires advice or assistance, please contact our team.