If you use any third-party processors to handle employees’ personal data, you must by law include a number of key written terms governing data protection in the commercial contracts you enter into with them.
Processor obligations
As an employer, you’re a “controller” in relation to your employees’ personal data. However, you might also engage one or more third-party service providers, e.g. outsourced payroll or IT services and pension scheme or staff benefits providers. If they process any employees’ personal data on your behalf, they’re a “processor” and the UK GDPR imposes significant direct obligations on them that they’ll need to ensure they comply with.
Contractual requirements
However, don’t assume this is none of your concern because, where you’re the controller, the UK GDPR specifically requires that you must include certain terms in the written contracts that you put in place with your processors. Firstly, you must only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that their processing meets the UK GDPR’s requirements and ensures the protection of data subjects’ rights. Secondly, the written contract with your processor must set out: (a) the subject matter and duration of the processing; (b) the nature and purpose of the processing; (c) the type of personal data processed; (d) the categories of data subjects; and (e) your rights and obligations as controller. On this latter issue, your written contract must stipulate that the processor will:
Our GDPR Data Processor Clauses can be inserted into your contracts as required. They incorporate all the above requirements. We’ve assumed in our clauses that you’re not willing to allow your processors to engage subprocessors.