• Welcome to the LegalBeagles Consumer and Legal Forum.
    Please Register to get the most out of the forum. Registration is free and only needs a username and email address.
    REGISTER
    Please do not post your full name, reference numbers or any identifiable details on the forum.

Does This Data Processor Clause Invalidate The Agreement?

Collapse
Loading...
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Does This Data Processor Clause Invalidate The Agreement?

    I have a data processor who had asked my business as controller to complete their Controller-to-Processor agreements for GDPR compliance. One clause states that they will appoint a sub-processor if they choose without my consent. Under Article 28 (2) it states that a sub-processor cannot be appointed without explicit consent of the controller.

    Now the agreement was signed by the previous business owner and this has just been noticed by myself - i'm also not happy with them as a business. My question is whether this clause invalidates the contract under 'Performance of contract' because it's against what companies are obligated to do under GDPR. I hope that makes sense.

    Some help would be appreciated by someone with contract experience as i don't want to play this wrongly.

  • #2
    I don't think it will invalidate the contract because it would have been agreement between yourself and the processor. You are correct to pick up on it but always remember you are responsible for ensuring that processors comply with their obligations under the GDPR.

    in this day and age, it is normal for processors to engage with third parties in order to ensure the functioning of the services provided e.g. telecoms provider, cloud services etc.

    Whilst Art. 28 says that this shouldn't happen without consent, you can of course give make an exception and give consent under the contract to allow the processor to use those third parties that are critical to providing the service, otherwise it might be impossible to perform.

    There's a number of ways to go about this:

    1. If the processor only uses one or two third parties you could explicitly say something in the contract along the lines of "except for (company name) (company no. if applicable) (insert registered or principal address), the data processor shall not use any sub-processor without prior written consent t of the data controller."

    2. If there are multiple processors used, you could refer to a sub-processor list as a schedule to the end of the agreement. Wording such as "the data processor shall not use any sub-processor without the data controller's prior written consent unless that sub-processor exists on the list of processors set out in Schedule X (as updated from time to time)"

    3. A compromise situation might be to allow the data processor to use a sub-process provided that you are promptly notified in writing and unless you object within X days of being notified, then you are deemed to have given consent.

    You will also need to consider Art.28(3) which says that sub-processing contract will contain certain provisions set out in (a) to (h) but some of those sub-sections can be placed elsewhere in the contract such as the option to return or delete the data. Usually you might expect to see some wording like "The data processor's right to use a sub-processor shall be contingent on:
    (a) entering into a written contract on terms no less onerous than the contract the processor is agreeing to;
    (b) provide sufficient written guarantees that it has in place appropriate technical measures so that the processing of the data will meet the applicable data protection laws;
    (c) ensure that the sub-processor and its employees or any third parties acting on its behalf are made aware of the confidential nature of the data being processed; and
    (d) contains an express right for the data controller to enforce the agreement directly against the sub-processor.

    Whilst looking at this provision you might also want to double check that the right to transfer to a third party country under Art. 44 and make sure they comply.

    Although I've given some examples above, you will need to decide how and what to agree as you are in the best position to know that taking into account the nature of the relationship.
    If you have a question about the voluntary termination process, please read this guide first, as it should have all the answers you need. Please do not hijack another person's thread as I will not respond to you
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    LEGAL DISCLAIMER
    Please be aware that this is a public forum and is therefore accessible to anyone. The content I post on this forum is not intended to be legal advice nor does it establish any client-lawyer type relationship between you and me. Therefore any use of my content is at your own risk and I cannot be held responsible in any way. It is always recommended that you seek independent legal advice.

    Comment


    • #3
      Originally posted by R0b View Post
      I don't think it will invalidate the contract because it would have been agreement between yourself and the processor. You are correct to pick up on it but always remember you are responsible for ensuring that processors comply with their obligations under the GDPR.

      in this day and age, it is normal for processors to engage with third parties in order to ensure the functioning of the services provided e.g. telecoms provider, cloud services etc.

      Whilst Art. 28 says that this shouldn't happen without consent, you can of course give make an exception and give consent under the contract to allow the processor to use those third parties that are critical to providing the service, otherwise it might be impossible to perform.

      There's a number of ways to go about this:

      1. If the processor only uses one or two third parties you could explicitly say something in the contract along the lines of "except for (company name) (company no. if applicable) (insert registered or principal address), the data processor shall not use any sub-processor without prior written consent t of the data controller."

      2. If there are multiple processors used, you could refer to a sub-processor list as a schedule to the end of the agreement. Wording such as "the data processor shall not use any sub-processor without the data controller's prior written consent unless that sub-processor exists on the list of processors set out in Schedule X (as updated from time to time)"

      3. A compromise situation might be to allow the data processor to use a sub-process provided that you are promptly notified in writing and unless you object within X days of being notified, then you are deemed to have given consent.

      You will also need to consider Art.28(3) which says that sub-processing contract will contain certain provisions set out in (a) to (h) but some of those sub-sections can be placed elsewhere in the contract such as the option to return or delete the data. Usually you might expect to see some wording like "The data processor's right to use a sub-processor shall be contingent on:
      (a) entering into a written contract on terms no less onerous than the contract the processor is agreeing to;
      (b) provide sufficient written guarantees that it has in place appropriate technical measures so that the processing of the data will meet the applicable data protection laws;
      (c) ensure that the sub-processor and its employees or any third parties acting on its behalf are made aware of the confidential nature of the data being processed; and
      (d) contains an express right for the data controller to enforce the agreement directly against the sub-processor.

      Whilst looking at this provision you might also want to double check that the right to transfer to a third party country under Art. 44 and make sure they comply.

      Although I've given some examples above, you will need to decide how and what to agree as you are in the best position to know that taking into account the nature of the relationship.
      So as the contract can't be voided and therefore re-negotiated it's down whether they are willing to revisit the agreement?

      Comment


      • #4
        What exactly is the processor asking you to do? Are they asking you to sign a fresh agreement, a variation to reflect the GDPR or something else?
        If you have a question about the voluntary termination process, please read this guide first, as it should have all the answers you need. Please do not hijack another person's thread as I will not respond to you
        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        LEGAL DISCLAIMER
        Please be aware that this is a public forum and is therefore accessible to anyone. The content I post on this forum is not intended to be legal advice nor does it establish any client-lawyer type relationship between you and me. Therefore any use of my content is at your own risk and I cannot be held responsible in any way. It is always recommended that you seek independent legal advice.

        Comment


        • #5
          Originally posted by R0b View Post
          What exactly is the processor asking you to do? Are they asking you to sign a fresh agreement, a variation to reflect the GDPR or something else?
          Thanks for helping here Rob, It was signed last year by the previous business owner, so rather than the dog wagging the tail and taking ownership of the data, the tail is wagging the dog with this agreement - what i mean by this is that had the controller (him) done this properly he wouldn't have signed on the processors terms without picking up on this.

          I've been going through all contracts and as i don't want to be legally exposed so I wanted to revisit the agreement. God forbid there's a breech and on reporting to the ICO it turns out i can't evidence the data trail becuase of the processor sub-processing out either inside or outside the EEA.

          Comment


          • #6
            Well, I guess it puts you in a bit of a difficult spot but all you can try to do is mitigate the risk, but you should take into account Article 82(2) and (3) which says:

            (2) Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

            (3) A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
            Although not guaranteed, you could try to mitigate your risk to shift the liability or proportion of it in accordance with 82(3)

            1. If you want to revisit the agreement you can approach the processor frame it in such a way to say that the current arrangement does not comply with the GDPR and requires certain changes to be made and you would like to arrange a meeting to discuss those changes. Of course if the processor isn't willing to play ball, then you may want to consider whether they are worth contracting with and the threat of looking for an alternative provider might give cause for them to agree to a meeting.

            2. Assuming there is provision in the agreement, you can carry out an audit of the processor in accordance with Article 28 and confirm whether the processor is complying with their obligations under the GDPR. If it turns out they are failing to comply, you could use this as leverage to renegotiate the terms of the agreement.

            If the ICO decided to come after you, then you could say to it that actually, you made attempts to renegotiate and they were refusing to comply, in which case the ICO might say well you could have terminated the arrangement (although you could argue otherwise if the business was tied in for a period of time).

            Could be a number of scenarios but if you want specific details your current situation, I would suggest you seek some independent legal advice so that the solicitor can fully understand the position you are in and the best approach.
            If you have a question about the voluntary termination process, please read this guide first, as it should have all the answers you need. Please do not hijack another person's thread as I will not respond to you
            - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
            LEGAL DISCLAIMER
            Please be aware that this is a public forum and is therefore accessible to anyone. The content I post on this forum is not intended to be legal advice nor does it establish any client-lawyer type relationship between you and me. Therefore any use of my content is at your own risk and I cannot be held responsible in any way. It is always recommended that you seek independent legal advice.

            Comment


            • #7
              Originally posted by R0b View Post
              Well, I guess it puts you in a bit of a difficult spot but all you can try to do is mitigate the risk, but you should take into account Article 82(2) and (3) which says:



              Although not guaranteed, you could try to mitigate your risk to shift the liability or proportion of it in accordance with 82(3)

              1. If you want to revisit the agreement you can approach the processor frame it in such a way to say that the current arrangement does not comply with the GDPR and requires certain changes to be made and you would like to arrange a meeting to discuss those changes. Of course if the processor isn't willing to play ball, then you may want to consider whether they are worth contracting with and the threat of looking for an alternative provider might give cause for them to agree to a meeting.

              2. Assuming there is provision in the agreement, you can carry out an audit of the processor in accordance with Article 28 and confirm whether the processor is complying with their obligations under the GDPR. If it turns out they are failing to comply, you could use this as leverage to renegotiate the terms of the agreement.

              If the ICO decided to come after you, then you could say to it that actually, you made attempts to renegotiate and they were refusing to comply, in which case the ICO might say well you could have terminated the arrangement (although you could argue otherwise if the business was tied in for a period of time).

              Could be a number of scenarios but if you want specific details your current situation, I would suggest you seek some independent legal advice so that the solicitor can fully understand the position you are in and the best approach.
              Fantastic advice and guidance Rob thanks so much.

              Comment

              View our Terms and Conditions

              LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

              If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


              If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.
              Working...
              X