The European Data Protection Board is consulting on its Guidelines on the concepts of controller and processor in the GDPR until 19 October 2020. They are long and detailed and only likely to be read by those with a serious interest in the GDPR. I thought I would highlight what I found to be a very interesting paragraph (107) in relation to data processing agreements which may be included in a service provider’s standard terms and conditions.
‘The fact that the contract and its detailed terms of business are prepared by the service provider rather
than by the controller is not in itself problematic and is not in itself a sufficient basis to conclude that
the service provider should be considered as a controller. Also, the imbalance in the contractual power
of a small data controller with respect to big service providers should not be considered as a
justification for the controller to accept clauses and terms of contracts which are not in compliance
with data protection law, nor can it discharge the controller from its data protection obligations. The
controller must evaluate the terms and in so far as it freely accepts them and makes use of the service,
it has also accepted full responsibility for compliance with the GDPR. Any proposed modification, by a
processor, of data processing agreements included in standard terms and conditions should be directly
notified to and approved by the controller. The mere publication of these modifications on the
processor’s website is not compliant with Article 28.’
In short, a small controller cannot use its poor bargaining position as an excuse for poor GDPR compliance but large processors cannot abuse their bargaining position by simply dictating terms.
You might also be interested in::
- Artificial Intelligence and identifying Controllers and Processors – 2021 may bring further clarity The ICO has just published new guidance on Artificial Intelligence (AI). I wrote a detailed...
- EDPB adopts new Guidelines on Video Surveillance The European Data Protection Board has recently (29 January 2020) adopted its Guidelines on Video...
- ICO Publishes Draft Code on Direct Marketing- Sit up and Take Notice!! This new Code came out for public consultation yesterday (8th January 2020). At just over...
Share this
