What are an employer's obligations under the General Data Protection Regulation (GDPR) if it contracts with a third-party provider to process its employee data?
If an employer uses the services of a third party to process employee data, the third party will be a "processor" and will itself have obligations under the General Data Protection Regulation (2016/679 EU) (GDPR). For example, some cloud service providers and benefits providers would be considered processors under the GDPR. This is unlike the current position under the Data Protection Act 1998, which does not directly cover third-party providers processing data on behalf of a data controller. The employer must ensure that the third-party processor provides sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.
Both the employer and the processor must comply with the requirements of the GDPR relating to the security of processing. The employer must be satisfied that the processor will put in place security measures that are suitable for the particular data, taking into account the scale and nature of the data and the particular processing risks, and that it will keep up to date with advances in technology and keep its risk assessment under review.
The GDPR requires the controller and the processor to enter into a contract that specifically sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The contract must also set out specific commitments on the part of the processor, including that it will process the personal data only on documented instructions from the controller, ensure the confidentiality and security of the data, delete or return (as the controller decides) all the personal data to the controller after the end of the provision of services and make available to the controller all information necessary to demonstrate compliance. The processor cannot sub-contract to another processor without the written authorisation of the data controller.
If the third party holds the data outside the EEA, the employer must ensure that at least one of the conditions under the GDPR for the transfer of data outside the EEA applies, for example that the country to which data is transferred is certified by the European Commission as ensuring an adequate level of protection.
The GDPR will come into effect on 25 May 2018.