A brewery has a lot of employees. He signed a contract with a payroll company to pay salaries. The brewery tells the subcontractor the date on which salaries are to be paid, when an employee leaves or who has a pay increase, and indicates all other compensation and payment information. The payroll accounting company provides the computer system and stores employee data. The brewery is the data manager and the payroll accounting company of the data publishers. This guide helps both controllers and processors understand what should be included in a contract and why. It will also help processors understand their new responsibilities and commitments under the DMPR. ☐ the subcontractor must take appropriate measures to ensure the safety of the processing; Your company/organization offers babysitting services via an online platform. At the same time, your company/organization has a contract with another company that allows you to offer value-added services. These services include the possibility for parents not only to choose the babysitter, but also to rent games and DVDs that the babysitter can bring. Both companies are involved in the technical implementation of the site.
In this case, both companies have decided to use the platform for both purposes (babysitting services and DVD/Games rental) and they will very often share the names of customers. As a result, the two companies are joint controllers because they offer not only the possibility of “combined services” but also the design and use of a common platform. When a processing manager uses a subcontractor to process personal data on his or her behalf, there must be a written contract between the parties. What is the difference between a controller and a processor? Of course, the RGPD authorizes the use of standard contractual clauses of the European Commission or a supervisory authority (such as the ICO) in contracts between those responsible for processing and subcontractors. However, no standard clause is currently available. When a subcontractor uses another organization (i.e. a subcontractor) to help process personal data for a processing manager, it must have a written contract with that subcontractor. The OIC points out that in the United Kingdom, the use of a written contract between the processing manager and the subcontractor for its processing activities is the most appropriate method of complying with the RGPD. The OIC provides that a direct contract is not required as long as the subcontractor is contractually bound to the person in charge of the processing. In addition, any agreement between a processor and a subcontractor must be confirmed in a written contract and offer a level of data protection identical to that of the contract between the feder and the subcontractor.
In 2014, the OIC established guidelines to help organizations decide whether they are a controller or processor, and can be accessed here (“Old Guidance”). This was updated after the implementation of the RGPD and can be accessed (here) and (here) (“New Guidelines”). The main points to consider below are that, in this sense, companies must continue their process of compliance with the RGPD and ensure that specific written contracts between controllers and subcontractors (or subcontractors) contain the minimum requirements described above.