Following on from our first blog, this blog examines the second part of the EDPB’s guidance on controllers and processors. Whilst the first part provides guidance on the concepts of controller, processor, and joint controller, the second part considers the relationships and agreements between these different roles.
Relationships – Controller-Processor Agreements
The guidance provided on controller-processor agreements will arguably have the most significant impact on your organisation’s practices as the EDPB expanded considerably on the requirements set forth in Article 28 GDPR. Crucially, the EDPB asserted that agreements that merely restate the provisions of Article 28 will not be sufficient. They explained that the agreement is a way for each party to clearly allocate responsibility for protecting the rights of data subjects and, as such, it needs to detail specific arrangements, including:
Aside from requiring these agreements to be far more detailed than before, the guidance also places heavier burdens on processors when it comes to changing these agreements and complying with them. The EDPB state that if a processor intends to make any changes to the controller-processor agreement, it must notify the controller directly and obtain its approval; they cannot simply publish the changes on their website and change the agreement unilaterally. Furthermore, the EDPB clarifies that controllers and processors are equally responsible for putting an agreement in place that complies with the GDPR, something that has traditionally fallen to the controller.
These changes will likely come as a welcome change to many as findings from the UK Data Protection Index, brought to you by The DPO Centre and Data Protection World Forum, have shown that 81% of DPOs agree that more due diligence should be introduced between controllers and processors.
Relationships – Joint Controller Agreements
When it comes to joint controller agreements, the EDPB goes further than the GDPR in their recommendations:
Conclusion
How helpful is this guidance?
Part 2 of the guidance significantly expands upon the detail provided in the GDPR with regard to controller-processor and joint controller agreements which was fairly sparse. This has provided much more clarity and certainty when it comes to what form these agreements should take and what needs to be included within them.
What do organisations need to do now?
A key step that will need to be taken by many organisations is the reviewing and editing of controller-processor and joint controller agreements as it is likely that these will be lacking the detail that the EDPB states is required. For companies that contract with a great number of controllers and/or processors, this is likely to be a time-consuming task as each contract will have to be far more thorough. However, in adding the required detail, companies will be able to evidence their GDPR compliance much more easily.
If you would like to read the full guidance, click here.
Fill in your details below and we’ll get back to you as soon as possible