Under Article 28 of the General Data Protection Regulation (“GDPR”), controllers must only appoint processors who can provide “sufficient guarantees” to meet the requirements of the GDPR. Processors must only act on the documented instructions of the controller and they can be held directly responsible for non-compliance with the GDPR obligations, or the instructions provided by the controller, and may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.
On 13 September 2017, the UK’s supervisory authority, the Information Commissioner’s Office (“ICO”), published draft guidance on contracts between controllers and processors under Article 28 GDPR.
The Guidance aims to provide the ICO’s preliminary opinion on the content of the contracts for the processing of personal data. Leaving the description of the single requirements to the main source, the ICO provides an interesting “must have” check-list to help controllers and processors assess their contracts.
According to the Guidance, a contract must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, the obligations and rights of the controller. Other compulsory terms include:
As a matter of good practice, contracts:
A processor should also be aware that:
Certainly, the GDPR allows standard contractual clauses issued by the EU Commission or a Supervisory Authority (such as the ICO) to be used in contracts between controllers and processors. No standard clauses are, however, currently available.
The Guidance is merely a draft, representing ICO’s view on Article 28 GDPR, which needs to evolve to take account of future guidelines issued by relevant European authorities. With this in mind, businesses will have to continue their GDPR compliance process, making sure specific written contracts between controllers and processors (or sub-processors) contain the minimum set of requirements described above.
Source: ICT Legal Consulting
Wojciech Wideł, Preetam Mukherjee, and Mathias Ekstedt from our partner KTH published in IEEE Access about their work in the SOCCRATES project.
In order to ensure that the SOCCRATES platform is fit for purpose, the project will carry out three pilots to validate the platform in realistic environments. This webinar will show results and experiences from the second pilot, in which the complete SOCCRATES platform was validated in realistic (on-site) environments at Vattenfall, mnemonic and Shadowserver.
Martin Eian, Researcher, Mnemonic
Piotr Kijewski, CEO Shadowserver
Maciej Kosz, IT Security Officer, Vattenfall
SOCCRATES provides a deep dive session on the SOCCRATES platform at the ONE Conference 2022.
Within the H2020 EU project SOCCRATES a security decision support platform has been developed for Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs). This, so called ‘SOCCRATES Platform’ is targeted at organisation’s inhouse SOC and at Managed Security Service Providers (MSSP) that provide SOC services.