Gdpr contracts and data sharing
- 1. GDPR Accountability Contracts and Data Sharing Data Sharing Policies and Procedures Your organisation's policies and procedures make sure that you appropriately manage data sharing decisions. 7.1.1 You have a review process, through a DPIA or similar exercise, to assess the legality, benefits and risks of the data sharing. 7.1.2 You document all sharing decisions for audit, monitoring and investigation purposes and you regularly review them. 7.1.3 Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so. 7.1.4 Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately. Data Sharing Agreements You arrange and regularly review data sharing agreements with parties with whom you regularly share personal data. 7.2.1 You agree data sharing agreements with all the relevant parties and senior management signs them off. 7.2.2 The data sharing agreement includes details about: the parties' roles; the purpose of the data sharing; what is going to happen to the data at each stage; and sets standards (with a high privacy default for children). 7.2.3 Where necessary, procedures and guidance covering each organisation's day-to-day operations support the agreements. 7.2.4 If your organisation is acting as a joint controller (within the meaning of Article 26 of the GDPR), you set out responsibilities under an arrangement or a data sharing agreement, and you provide appropriate privacy information to individuals. 7.2.5 You have a regular review process to make sure that the information remains accurate and up-to- date, and to examine how the agreement is working. 7.2.6 There is a central log of the current data sharing agreements. Restricted Transfers Your organisation has procedures in place to make sure that restricted transfers are made appropriately. 7.3.1 You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs). 7.3.2 If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the GDPR. Processors 7.4.1 You have written contracts with all processors.
- 2. GDPR Accountability You have appropriate procedures in place regarding the work that processors do on your behalf. 7.4.2 If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively. 7.4.3 An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract. 7.4.4 Each contract (or other legal act) sets out details of the processing including the: • subject matter of the processing; • duration of the processing; • nature and purpose of the processing; • type of personal data involved; • categories of data subject; and • controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the GDPR. 7.4.5 You keep a record or log of all current processor contracts, which you update when processors change. 7.4.6 You review contracts periodically to make sure they remain up-to-date. 7.4.7 If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor. Controller-Processor Contract Requirements All of your controller- processor contracts cover the terms and clauses necessary to comply with data protection law. 7.5.1 The contract or other legal act includes terms or clauses stating that the processor must: • only act on the controller’s documented instructions, unless required by law to act without such instructions; • make sure that the people processing the data are subject to a duty of confidence; • help the controller respond to requests from individuals to exercise their rights; submit to audits and inspections. 7.5.2 Contracts include the technical and organisational security measures the processor will adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system). 7.5.3 The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage. 7.5.4 Clauses are included to make sure that the processor assists the controller in meeting its GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs.
- 3. GDPR Accountability Processor Due Diligence Checks You carry out due diligence checks to guarantee that processors will implement appropriate technical and organisational measures to meet GDPR requirements. 7.6.1 The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor. 7.6.2 The due diligence process includes data security checks, eg site visits, system testing and audit requests. 7.6.3 The due diligence process includes checks to confirm a potential processor will protect data subject's rights. Processor Compliance Reviews Your organisation reviews data processors' compliance with their contracts. 7.7.1 Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions. 7.7.2 You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements. Third Party Products and Services Your organisation considers 'data protection by design' when selecting services and products to use in data processing activities. 7.8.1 When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind. Purpose Limitation Your organisation proactively takes steps to only share necessary personal data with processors or other third parties. 7.9.1 Your organisation only shares the personal data necessary to achieve its specific purpose. 7.9.2 When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.