Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Section 1.3 Content of the contract or other egal act
108. Before focusing on each of the detailed requirements set out by the GDPR as to the content of the contract or other legal act, some general remarks are necessary.
109. While the elements laid down by Article 28 of the Regulation constitute the core content of the agreement, the contract should be away for the controller and the processor to further clarify how such core elements are going to be implemented with detailed instructions. Therefore, the processing agreement should not merely restate the provisions of the GDPR: rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement. Far from being a pro-forma exercise, the negotiation and stipulation of the contract are a chance to specify details regarding the processing. Indeed, the “protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors […] requires a clear allocation of the responsibilities” under the GDPR.
110. At the same time, the contract should take into account “the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject”. Generally speaking, the contract between the parties should be drafted in light of the specific data processing activity. For instance, there is no need to impose particularly stringent protections and procedures on a processor entrusted with a processing activity from which only minor risks arise: while each processor must comply with the requirements set out by the Regulation, the measures and procedures should be tailored to the specific situation. In any event, all elements of Article 28 (3) must be covered by the contract. At the same time, the contract should include some elements that may help the processor in under standing the risks to the rights and freedoms of data subjects arising from the processing: because the activity is performed on behalf of the controller, often the controller has a deeper understanding of the risks that the processing entails since the controller is aware of the circumstances in which the processing is embedded.
111. Moving on to the required content of the contract or other legal act, EDPB interprets Article 28 (3) in a way that it needs to set out:
the subject-matter of the processing (for instance, video surveillance recordings of people entering and leaving a high-security facility). While the subject matter of the processing is abroad concept, it needs to be formulated with enough specifications so that it is clear what the main object of the processing is;
the duration of the processing: the exact period of time, or the criteria used to determine it, should be specified; for instance, reference could be made to the duration of the processing agreement;
the nature of the processing: the type of operations performed as part of the processing (for instance: “filming”, “recording”, “archiving of images”,…) and purpose of the processing (for instance: detecting unlawful entry). This description should be as comprehensive as possible, depending on the specific processing activity, so as to allow external parties (e.g. supervisory authorities) to understand the content and the risks of the processing entrusted to the processor.
the type of personal data: this should be specified in the most detailed manner as possible (for instance: video images of individuals as they enter and leave the facility). It would not be adequate merely to specify that it is “personal data pursuant to Article 4 (1) GDPR” or “special categories of personal data pursuant to Article 9”. In case of special categories of data, the contract or legal act should at least specify which types of data are concerned, for example, “information regarding health records”, or “information as to whether the data subject is a member of a tradeunion”;
the categories of data subjects: this, too, should be indicated in a quite specific way (for instance: “visitors”, “employees”, delivery services etc.);
the obligations and rights of the controller: the rights of the controller are further dealt with in the following sections (e.g. with respect to the right of the controller to perform inspections and audits). As regards the obligations of the controller, examples include the controller’s obligation to provide the processor with the data mentioned in the contract, to provide and document, in writing, any instruction bearing on the processing of data by the processor, to ensure, before and throughout the processing, compliance with the obligations set out in the GDPR on the processor’s part, to supervise the processing, including by conducting audits and inspections with the processor.