Follow us on Twitter

Parish councils and sub-processors - is an Article 28 contract needed?

0 votes
Hello

Does a parish council require a contract with its sub-processors under Article 28 of the GDPR?

Any advice would be most appreciated.

Thanks

Sam
asked by (2.1k points)

4 Answers

+1 vote
Paragraph 3 seems to suggest that you do.  "Processing by a processor shall be governed by a contract..."

What processing are you delegating?
answered by (18.3k points)
Hi DtC

Thanks for your reply. The parish council have delegated all of their data protection responsibilities to a company and in the absence of a written contract required under Article 28.

Sam
I'm not sure you can delegate all of your data protection responsibilities.  It's not my area of expertise, so hopefully others will chip in.  Might be worth having a conversation with the data protection officer of your principal council.
Hi DtC

Thank you again.  However, the principal council is just as inept as the parish council.

Sam
+1 vote

What is the sub processor actually going to doing? Well it seems they have been tasked to "manage our (The PC's) personal data" ?

It might be helpful to note that "Processing" of personal data means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.   

So I would give thought to which of the above should be stipulated in the contract.  Are the sub processors going to work in the PC's office  (if they have one?) Erasure & Destruction in line with GDPR 2018 will be likely processing items, but I would be interested  to know how they would erase personal data from the PC's ICT infrastructure, whatever that amounts to. 

answered by (13.4k points)
edited by
Hi Graeme_r

Thank you for your reply.

It appears the company has undertaken the role of controller since the parish council is simply incompetent when it comes to handling personal data but there is no written contract or any sufficient guarantees that the company can meet the requirements of the GDPR.

Sam
+1 vote
Could this fall under a risk and insurance policy or equivalent ?
I would raise your concerns in writting with the Clerk but it strikes me an aggrement is required.
answered by (2.7k points)
Thanks RuralTCllr.
+1 vote
It depends precisely what the supplier will be doing. If the supplier is only drafting policies and procedures, article 28 may not apply.
Article 28 will  apply if the supplier is going to be processing personal data on behalf of the Parish Council - for example dealing with subject access requests or advising on data protection complaints. In those circumstances Article 28 sets out in some detail what needs to be in the contract.
The Parish Council remains responsible in law for the actions of the supplier (other than in extraordinary circumstances) and must make it clear in its privacy notice that personal information may be passed to the supplier.
answered by (910 points)
Thanks Smallb34r.

Yes, the processor is processing personal data on behalf of the parish council but the parish council state they do not need a proper written contract as required by Article 28(3).
You may wish to refer the Councillors to the guidance from the Information Commissioner at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/.
This says "Whenever a controller uses a processor, there must be a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract."
The guidance then provides a helpful checklist of what needs to be included in the contract.

There are many grey areas in the GDPR, but this one is crystal clear!
Many thanks again Smallb34r.  Deeply appreciated!

Welcome to Town & Parish Councillor Q&A, where you can ask questions and receive answers from other members of the community. All genuine questions and answers are welcome. Follow us on Twitter to see the latest questions as they are asked - click on the image button above or follow @TownCouncilQA. Posts from new members may be delayed as we are unfortunately obliged to check each one for spam. Spammers will be blacklisted.

You may find the following links useful:

We have a privacy policy and a cookie policy.

Google Analytics Alternative