ICO issues GDPR draft guidance on contracts and liabilities

The document, published today, and currently open for consultation, explains contracts and liabilities between controllers and processors under the GDPR. The ICO says that contracts must state details of the processing, such as the nature and purpose of the processing, the type of personal data and categories of data subject, and must also set out the processor’s obligations. This includes the standards the processor must meet when processing personal data and the permissions it needs from the controller in relation to the processing.

In the future, standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However, at the moment no standard clauses have been drafted.

“Data controllers are ultimately responsible for ensuring that personal data is processed in accordance with the GDPR. This means that, regardless of your use of a processor, you may be subject to any of the corrective measures and sanctions set out in GDPR. These include orders to bring processing into compliance, claims for compensation from a data subject and administrative fines. Further guidance on sanctions and corrective measures under the GDPR will be issued in due course.”

“Unless you can prove that you were ‘not in any way responsible for the event giving rise to the damage’, you will be fully liable for any damage caused by non-compliant processing, regardless of your use of a processor.”

Processors can also be held liable under Article 82 to pay compensation for the damage caused by processing if they have failed to comply with the GDPR provisions specifically relating to processors, or if they have acted without the lawful instructions of the controller, or against those instructions.

The consultation ends on 10 October. The ICO intends to publish the final version of the guidance later in 2017. See