If you’re in the digital or data driven services industry you most probably received calls from a lot of panicky clients asking whether your service is GDPR compliant. Luckily for many South African companies, the answer would be, “no, we’re not, and we don’t have to be”.
However, it is likely that at least a few of your clients would be subject to the direct application of the GDPR. And those clients must have a written ‘processor’ agreement with you. These agreements are sometimes called ‘data protection agreements’ or ‘DPAs’.
By the way, if you’re still not sure whether the GDPR applies to you, now would be a good time to find out. Our whitepaper can help you solve this mystery.
When would you be a processor?
If you are processing personal data on your client’s behalf the GDPR would call you a processor. Processing includes any collection, recording, organisation, storage, use, transmission and destruction of data.
Let’s look at an example:
You’re a marketing company that sends promotional vouchers to a European client’s customers on the client’s behalf.
In this example your client must comply with the GDPR, because the client is situated in the EU. You are based in South Africa and are not subject to the GDPR. But, the GDPR requires your client to have a written processor contract with you.
What can you expect in a ‘processor’ contract?
As a minimum the contract will set out:
- The subject matter and duration of the processing; for example, you will send out promotional vouchers to the client’s customer database for the next three months.
- The nature and purpose of the processing; for example, you will send promotional vouchers to the client’s customer database via SMS and email.
- The type of personal information and categories of data subjects; for example, you will have the names, cell phone numbers and email addresses of your client’s customers.
- The obligations and rights of your client.
The contract will also require you to
- only act on the written instructions of your client
- ensure that people with access to the data will keep it confidential
- take appropriate measures to ensure the security of your activities and the data
- only engage with sub-processors (other guys that you use to provide your service to the client) with the prior consent of the client and a written contract
- assist the client with providing people access to their data
- assist the client to meet its other GDPR obligations in relation to security, notifications of data breaches and data protection impact assessments
- delete or return all personal data to the client when the contract ends
- submit to audits and inspections
- give the client information that shows you are complying with the contract
- tell the client immediately if you are asked to do something that will infringe the GDPR or other data protection laws
The contract will probably also include an indemnity whereby you indemnify the client in case they get a fine or a claim against them because of something you did (or didn’t do) in breach of the contract.
Goodness gracious batman, is that a mouthful?
Unfortunately, the terms of the processor contract are prescribed by the GDPR and there’s no getting around them or negotiating them away. If you’re not willing to sign these contracts, you won’t be getting much business from European clients, or clients who use data of people in the EU.
There is a thin silver lining though. Your obligations in the processor contract only relates to the specific processing activity and types of personal data described in the contract. This means that you only have to comply when performing that specific activity for that client.
Here is some free advice; before you start signing operator contracts, make sure you have adequate insurance in place should your client hold you liable under the indemnity clause.
Speak to us if you are concerned about the risks around signing and not signing these contracts.