DATA PROTECTION - 18.06.2018

Complying with the GDPR when using third-party processors

If you engage any third-party processors to handle employees’ personal data, you’ll need to ensure you’ve complied with the relevant provisions of the GDPR. What do you need to do to protect the business?

USE OF PROCESSORS

The GDPR imposes significant new direct obligations on “processors” . As an employer, you’re a “controller” in relation to your employees’ personal data, i.e. you determine the purposes and means of personal data processing. On the other hand, a processor processes personal data on behalf of the controller. In an employment context, this will include any third-party service providers that you might use, such as outsourced payroll providers, IT services and pension scheme/benefits providers.

Pro advice 1. From your perspective as controller, the GDPR requires you to include certain terms in the written contracts that you enter into with your processors. The contract can be in electronic form.

Pro advice 2. The direct obligations that the GDPR imposes on processors include: requirements to only process personal data according to your instructions; restrictions on engaging subprocessors; requirements to implement appropriate technical and organisational measures to secure personal data; data breach notification requirements and record-keeping requirement.

CONTRACTUAL REQUIREMENTS

Firstly, you must only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that their processing meets the GDPR’s requirements and ensures the protection of data subjects’ rights. Secondly, the written contract with your processor must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data processed, the categories of data subjects and your rights and obligations. In particular, the contract must require the processor to:

  • process personal data only on your documented instructions
  • ensure that the personnel they authorise to process personal data have committed themselves to confidentiality obligations
  • implement appropriate technical and organisational measures to ensure a level of security for the personal data they process which is appropriate to the risk
  • not engage any subprocessors without your prior written authorisation (and impose the same data protection obligations in the contract with the subprocessor as are set out in your contract with them)
  • implement measures to assist you in complying with your obligation to respond to requests for exercising data subjects’ rights and in ensuring compliance with data security requirements
  • at your election, either delete or return the personal data at the end of the relationship, unless the law requires storage of the data
  • make available to you all information necessary for you to demonstrate compliance with the GDPR ’s requirements relating to engaging processors, and contribute to audits, including inspections, that you conduct.

Pro advice. If you use third-party processors, ensure you have a written contract in place with them which incorporates these provisions (see Follow up ). If necessary, ask them to enter into new contracts containing the required terms.

Data processor clauses

If you use processors such as payroll providers to process employee personal data on your behalf, you must include a number of written terms in the commercial contract you enter into with them, e.g. to process personal data only on your documented instructions.

© Indicator - FL Memo Ltd

Tel.: (01233) 653500 • Fax: (01233) 647100

subscriptions@indicator-flm.co.ukwww.indicator-flm.co.uk

Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ

VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719