Data Protection Compliance
As an authority, the Council will only appoint a processor that provides sufficient guarantees to implement appropriate technical and organisational measures to ensure their processing meets the requirements of Data Protection legislation.
To demonstrate this, your business will have set out the management support and direction for data protection compliance in a framework of policies and procedures. Your business monitors compliance with data protection policies and regularly reviews the effectiveness of data handling / processing activities and security controls. Your business has developed and implemented a needs based data protection training programme for all staff.
The Council will assess the appropriate level of security the processor has; it shall take account in particular of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Doing business with the Council
To process data lawfully in line with Data Protection legislation, when doing business with the Council a written contract will be put in place which will be binding, and will set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
That contract shall stipulate, in particular, that the processor:
May only processes the personal data (including transfers to a third country) in the ways described in the written contract, or in ways they are legally required to, due to law. If the later, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, amongst other things, as appropriate. This will take account of the context and purposes of processing as well as the risk to individuals rights to privacy. This will include, but not limited to:
- the Pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Restriction on Sub-Contracting
The processor shall not engage another processor without prior specific or general written authorisation of the Council. In the case of general written authorisation, the processor shall inform the Council of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Where a processor sub-contracts another processor, the processor will ensure the same data protection obligations as set out in the contract between the Council and the processor are imposed on the sub-contractor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection legislation. Where that sub-contractor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
Assisting the Controller with exercising a data subjects rights
Taking into account the nature of the processing, where possible the processor will assist the Council by using appropriate technical and organisational measures to respond to requests for exercising a data subject's rights which in summary are:
- to provide information about data use when collecting personal data;
- subject Access Requests;
- the right to rectification and erasure;
- the right to be forgotten;
- the right to restriction of processing;
- notification regarding rectifications or erasure or
- processing restrictions of personal data;
- rights of data portability, and
- the right to object to processing or automated decision making.
Taking into account the nature of the processing and the information available to the processor, the processor will assist the Council in ensuring compliance with its obligations relating to:
- the security of processing described above;
- investigating and reporting data breaches, and
- completion of data protection impact assessments
After the completion of the processing the processor should, at the choice of the Council, return or delete the personal data, unless there is a requirement to store the personal data under legislation to which the processor is subject.
The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in the contract and allow for and contribute to audits, including inspections, conducted by the Council or another auditor mandated by the controller.
- Personal Data – Information that can identify a living individual
- Processing – any use to which that personal information is put
- Data Subject – the individual the data is about
- Union – European Union
Who is affected?
"Processor – means another person or company which processes personal data on behalf of the Council."
"Controller – means the public authority which, alone or jointly with others, determines the purposes and means of processing of personal data…"