Parish councils and sub-processors - is an Article 28 contract needed?

Question

Hello

Does a parish council require a contract with its sub-processors under Article 28 of the GDPR?

Any advice would be most appreciated.

Thanks

Sam

Answer 1

Paragraph 3 seems to suggest that you do.  "Processing by a processor shall be governed by a contract..."

What processing are you delegating?

Comments

Hi DtC

Thanks for your reply. The parish council have delegated all of their data protection responsibilities to a company and in the absence of a written contract required under Article 28.

Sam

---

I'm not sure you can delegate all of your data protection responsibilities.  It's not my area of expertise, so hopefully others will chip in.  Might be worth having a conversation with the data protection officer of your principal council.

---

Hi DtC

Thank you again.  However, the principal council is just as inept as the parish council.

Sam

Answer 2

What is the sub processor actually going to doing? Well it seems they have been tasked to "manage our (The PC's) personal data" ?

It might be helpful to note that "Processing" of personal data means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.   

So I would give thought to which of the above should be stipulated in the contract.  Are the sub processors going to work in the PC's office  (if they have one?) Erasure & Destruction in line with GDPR 2018 will be likely processing items, but I would be interested  to know how they would erase personal data from the PC's ICT infrastructure, whatever that amounts to. 

Comments

Hi Graeme_r

Thank you for your reply.

It appears the company has undertaken the role of controller since the parish council is simply incompetent when it comes to handling personal data but there is no written contract or any sufficient guarantees that the company can meet the requirements of the GDPR.

Sam

Answer 3

Could this fall under a risk and insurance policy or equivalent ?
I would raise your concerns in writting with the Clerk but it strikes me an aggrement is required.

Comments

Thanks RuralTCllr.

Answer 4

It depends precisely what the supplier will be doing. If the supplier is only drafting policies and procedures, article 28 may not apply.
Article 28 will  apply if the supplier is going to be processing personal data on behalf of the Parish Council - for example dealing with subject access requests or advising on data protection complaints. In those circumstances Article 28 sets out in some detail what needs to be in the contract.
The Parish Council remains responsible in law for the actions of the supplier (other than in extraordinary circumstances) and must make it clear in its privacy notice that personal information may be passed to the supplier.

Comments

Thanks Smallb34r.

Yes, the processor is processing personal data on behalf of the parish council but the parish council state they do not need a proper written contract as required by Article 28(3).

---

You may wish to refer the Councillors to the guidance from the Information Commissioner at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/.
This says "Whenever a controller uses a processor, there must be a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract."
The guidance then provides a helpful checklist of what needs to be included in the contract.

There are many grey areas in the GDPR, but this one is crystal clear!

---

Many thanks again Smallb34r.  Deeply appreciated!