Data Processor Accountability

The General Data Protection Regulation (GDPR) places increased responsibilities on all those parties that process personal data. Let us consider payroll bureaux and how GDPR will impact the contract between them and their clients.

Payroll bureaux process data on behalf of the client. In data protection terms, the client is considered the data controller and the payroll bureau will be considered the data processor.

Current data protection legislation mostly addresses data controllers, giving them the responsibility to ensure compliance when entering into an agreement with a data processor. However, the GDPR approach is different. For the first time data processors have significant responsibilities and liabilities in their own right. Under the GDPR, data processors may be liable to damages or subject to fines and other penalties.

Considering this greatly increased accountability, payroll bureaux should be extra vigilant in ensuring that they have a water-tight contract with their clients. Being so much more exposed under GDPR, payroll bureaux will want to make sure their obligations are precisely defined and agreed upon in the terms of service.

With this in mind we take a look at some of the new responsibilities being placed by GDPR on data processors as well as what must be in the contract between a data controller and data processor.

Requirement for a written contract between data controller and data processor

Any contracts in place on 25th May 2018 will need to comply with the new GDPR requirements. This includes existing contracts that run past 25th May 2018.

Existing Legislation

Under existing data protection laws contracts between a controller and a processor; should be in writing, should require the data processor to only process data on the instructions of the data controller and to take appropriate measures to keep all personal data secure.

Contract requirements under GDPR

Under the GDPR the contract requirements are wider. The following will be mandatory terms to be included in contracts from 25th May 2018:

  • Contracts must set out the:
    • Subject matter and duration of the processing
    • The nature and purpose of the processing
    • The type of personal data and categories of data subject
    • The obligations and rights of the controller
  • The following mandatory contractual terms should also be included:
    • The processor must only act on the written instruction of the controller (unless required by law to act without such instruction)
    • The processor must ensure that people processing the data are subject to a duty of confidence
    • The processor must take appropriate measures to ensure the security of processing
    • The processor must only engage a sub-processor with the prior consent of the data controller and a written contract
    • The processor must assist the data controller in meeting its GDPR obligations in relation to:
      • the security of processing
      • the notification personal data breaches and
      • data protection impact assessments
    • The contract must include end of contract provisions in order to ensure the continued security of the personal data. The processor must delete or return all personal data to the controller as requested at the end of the contract. An exemption applies where the data processor is required by law to retain data.
    • The processor must submit to audits and inspections provide the controller with whatever information it needs and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law.
    • As a matter of good practice, contracts should:
      • State that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR
      • Reflect any indemnity that has been agreed

In the future, standard contract clauses may be provided by the European Commission or supervisory authorities; however no standard clauses have as yet been drafted.


In terms of GDPR readiness, a starting point for payroll bureaux will be to review their existing client contracts to ensure they contain the required mandatory clauses. If they do not, new contracts or a data protection addendum should be drafted and signed.

If you have any questions about how GDPR will affect our client relationship please give us a call on 01242 573 321.