Even the previous legal regulation enshrined the obligation for controllers and processors of personal data to conclude a personal data processing agreement. Specifically, this obligation was expressed in the provision of Section 6 of the Personal Data Protection Act, whilst we addressed the requirements for the content of the personal data processing agreement in Legal Circular No. 11/2015. Given that Regulation (EU) 2016/679 of the European Parliament and of the Council, referred to as the GDPR (hereinafter “the Regulation”), further extends the requirements for the content of such an agreement, and given that the vast majority of internet traders use personal data processors in their activities (these may be services in the area of hosting, marketing, software administration, accounting, etc.), we have decided to address this issue in greater detail also in this Legal Circular.
The content requirements for the agreement are set out in the provision of Article 28(3) of the Regulation. The general requirements for the content of the agreement are stated in the first sentence of this provision, which states that processing by a processor shall be governed by a contract which is binding on the processor with regard to the controller and which “sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.” This list of general content requirements is rather disparate. For example, the inclusion of “rights and obligations” does not make much sense, as every contract contains some rights and obligations. Further specific content requirements are then developed in considerable detail in the second sentence of the provision of Article 28(3) of the Regulation. Given that the scope of these content requirements significantly exceeds the requirements of the current legal regulation, it will be necessary by the date of application of the Regulation (25/5/2018) to replace existing contractual relationships with new ones (or to conclude relevant amendments) so that the new legal regulation is fully complied with.
As indicated, the obligation to have a processing agreement concluded affects both controllers of personal data and processors. According to the provision of Article 28(9) of the Regulation, the contract must be concluded “in writing, including in electronic form.” The personal data processing agreement need not necessarily be executed in a separate document and in practice may thus be included in more extensive contractual arrangements between the parties (for example, in the terms and conditions of hosting services, etc.). It can be expected that, for example, large multinational companies providing cloud solutions will have this matter addressed in their standard documentation (however, this does not mean necessarily to the benefit of their customers).
The provisions of Article 28(6) to (8) of the Regulation envisage the possibility that the European Commission or individual supervisory authorities of national states may issue standardised contractual clauses in this area: “without prejudice to individual contracts between the controller and the processor, the contract or other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses…” The possibility of addressing these relationships through the acceptance of a standardised code of conduct by the processor is also envisaged (Article 28(5) of the Regulation). However, according to our information, none of these variants (standardised contractual clauses or codes of conduct) is currently available in practice.
In this context, it is also appropriate to mention that within the Regulation the role of the so-called sub-processor has been added. For example, if a company which provides an internet shop operation for a trader uses a third party’s storage facility (a cloud solution) for storing the personal data of purchasers, such a third party (the storage operator) is such a sub-processor. The sub-processor is also subject to the regulation given by the Regulation, including the requirement to conclude a personal data processing agreement (in this case, therefore, an agreement between the processor and the sub-processor). The content requirements of this personal data processing agreement are identical to those in the case of the relationship between the controller and the processor (see above).
Josef Aujezdský, Advocate
Law Firm Mašek, Kočí, Aujezdský www.e-Advokacie.cz – on-line legal advisory services
This text was originally prepared by the Law Firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as Legal Circular No. 11/2017 intended for members of this association.
This text was translated from Czech to English using an AI translator.