Data Processors are organisations that provide data processing services, particularly IT related services, to Data Controllers, where the Data Controller specifies the purpose for which and the manner in which personal data are processed.
Both Data Controllers and Data Processors have compliance obligations under data protection legislation but the obligations for Data Controllers are more onerous. Determining whether an organisation is a Data Controller or Data Processor can be difficult but is an important distinction. Myerson can advise you about whether you have responsibilities under the legislation as a Data Controller or Processor and what the implications are.
Data Protection legislation includes a mandatory requirement for specific terms and conditions to be put in place where a Data Processor provides relevant services to a Data Controller. The required contractual terms must cover important points specified in the legislation including terms relating to data security measures, confidentiality and subcontracting. Such arrangements can sometimes be complicated by the fact that Data Processors can often be located outside of the EU and special rules in relation to may apply.
Myerson can assist in relation to putting appropriate contractual terms in place or advising on data processing terms proposed by third parties.
There are no other mandatory requirements for terms and conditions to be put in place but the regulator requires as a matter of best practice appropriate due diligence of third parties with which personal data may be shared as well as well as appropriate data sharing agreements. Find out more here.