The UK General Data Protection Regulation (UK GDPR) sets out strict rules around data sharing. When a data controller shares personal data with a data processor, the parties must enter a set of mandatory data processing terms.
These terms are prescribed under Article 28 of the UK GDPR and often referred to as ‘controller-to-processor agreements’, either forming part of the relevant services agreement or a separate data processing agreement (DPA). See our article ‘What is a controller-to-processor agreement’ for background on when a controller-to-processor agreement is needed.
Controller-to-processor agreements are often heavily negotiated. The parties need to ensure that their agreements are UK GDPR compliant and may seek to protect their best interests. As such, there is a balance to be struck between complying with the law and achieving workable commercial terms for both parties. In practice, this can be challenging for businesses.
In this practical guide, our Data Privacy solicitors will explore the key issues around negotiating controller-to-processor agreements, highlight the provisions which are most often negotiated, and provide best practice tips for successful negotiations.
Contents:
Key considerations for negotiating controller-to-processor agreements
When reviewing a controller-to-processor agreement, you must ensure that all the mandatory Article 28 UK GDPR clauses are included and are not diluted in any respect. Otherwise, you risk your agreement not being UK GDPR compliant.
Despite certain terms being mandatory, there is still plenty of room for negotiation in controller-to-processor agreements. Controllers are often likely to push for further protection and impose more extensive obligations on processors. The Article 28 UK GDPR terms are minimal and still afford scope for businesses to negotiate provisions to protect their best interests. Many controller-to-processor contracts go far beyond the requirements of Article 28.
There are certain preliminary practical points which you should carefully consider before negotiating the terms of a controller-to-processor agreement. These points will influence your approach to negotiations and how far you should push to protect your interests.
Data controller considerations
Some of the key points to consider as a data controller include the following:
- Consider which types of data the supplier will process as part of their services. Is there a large volume of data, and is that data sensitive or does it contain any special category data? Will the data remain in the United Kingdom, or will it be sent to or accessed in overseas countries? Will any group company personal data be shared?
- The level of risk and the length of data processing should determine your approach to negotiations. For example, a long-term project involving high volumes of sensitive information will require more time and negotiation efforts than a small, single project involving minimal data.
- Consider whether you will contract on the supplier’s data processing terms or present your own terms. This will often come down to how much negotiating power you have. For example, large service providers such as Amazon have their own data processing terms and will almost certainly reject any customer terms.
- If your project is very low risk, you may decide that a simple and short set of data processing terms in your services agreement suffices. However, larger, and more high-risk projects may warrant a separate DPA with a comprehensive set of robust data processing terms, which cover more provisions than the terms mandated under Article 28 of the UK GDPR.
- Through due diligence on the supplier, you may find that they have strong data security in place and a track record of keeping personal data secure. As such, you may wish to tailor your approach to negotiations accordingly. If a supplier has an excellent reputation for safeguarding customer data and strong security credentials, you may be more willing to trust them with your personal data and not feel the need to negotiate onerous terms with them.
- You should also consider a commercial strategy, rather than simply focusing on legal issues. As a customer, you may want to work with the supplier and need their services. For example, the supplier may offer you competitive fees or a bespoke service tailored to your business needs. As such, you may wish to consider taking a reasonable negotiation approach to get the deal over the line commercially, rather than starting on the wrong foot with acrimonious negotiations.
- You should also consider your budget. For example, it is unlikely to be cost-effective to attempt to heavily negotiate standard processing terms with a large supplier of services, who may simply reject any amendments you propose.
These initial considerations will impact how you approach negotiating controller-to-processor agreements. This will not be a one-size-fits-all approach and may vary depending on the type of supplier and the type of data involved under the relevant contract.
Data processor considerations
As a supplier of services processing personal data for customers, you should also adopt a strategic approach to negotiating controller-to-processor agreements.
- You may want to push for a customer to sign your own data processing terms or DPA; however, you should try to be open to what a customer’s concerns might be.
- Think about what possible additional assurances you could offer to give your customer comfort, whilst not agreeing to terms you know you will struggle to comply with in practice.
- Again, the risk of the data in question and the length and the value of the project will likely impact your overall strategy and approach to negotiations.
- It is vital to always review the terms proposed by a customer very carefully and ensure you can deliver what the customer requests before agreeing to do so. For instance, strict time limits to assist the customer with their UK GDPR obligations, or the obligations of picking up the costs of doing so.
Commonly negotiated provisions in a controller-to-processor agreements
There are various provisions which parties tend to negotiate in controller-to-processor agreements.
Keep in mind that although a party has set out various terms in its agreement, that doesn’t necessarily mean they are mandatory by law. Always go back to check the provisions of Article 28 of the UK GDPR to determine whether a provision in a controller-to-processor is mandatory or not.
Controllers may raise specific requests around the parameters of data processing. For instance, which types of personal data they are willing to share, how long a processor can use the data and why and restrictions on data sharing. There may also be detailed discussions around the data retention and deletion process, such as measures to warrant that data has been deleted.
Some of the most heavily negotiated provisions are explored below.
- Liability and indemnities
The UK GDPR does not prescribe what liability terms should be in place between controllers and processors. As such, this is one of the most heavily negotiated part of controller-to-processor agreements. The parties often negotiate to decide how liability should be apportioned between them.
Controllers are accountable and responsible for ensuring that processing is carried out in compliance with the UK GDPR rules. Controllers will be more likely to be exposed to claims and can be held liable for various consequences if data is misused. However, the UK GDPR also places obligations on processors, who can also be held liable in certain circumstances. Processors will also be concerned about the controller complying with UK GDPR, for example – they will want assurance that the controller has the appropriate consents or notices in place to allow personal data to be transferred to them.
Controllers will be particularly concerned about ensuring they can recover any losses they suffer from a processor. As such, a contractual indemnity (an obligation to compensate the controller for its losses on a pound-for-pound basis) is often a request in negotiations. A controller will also want to ensure that it can make certain claims against the processor, for example, claims allowing the controller to have recourse against the processor for loss of data resulting from a data breach.
Pre GDPR, suppliers would accept unlimited liability. However, post GDPR, there is a trend towards suppliers now limiting and capping their liability for data protection breaches. A supplier is highly unlikely to accept unlimited liability for data protection breaches. It is far more common for parties to negotiate a higher cap on liability for data protection law losses.
When considering liability, you should consider what the risk to personal data is for the project and what could potentially go wrong. As a controller, it is also important to check if the supplier has cyber insurance in place, to back up the liability provisions you negotiate.
Negotiations on liability will often come down to bargaining power. Very large suppliers such as Microsoft are extremely unlikely to negotiate these terms, but a small supplier looking to secure business may be more willing to negotiate liability clauses which a controller customer is comfortable with. Otherwise, there is a risk that the controller could go to a different supplier.
Ultimately, the parties need to come to a reasonable compromise position over the allocation of liability. This will vary from contract to contract. - Security measures
The UK GDPR is not prescriptive about what exact security measures data processors should have in place. However, controller customers will often want a supplier to demonstrate appropriate security measures and agree to maintain those measures throughout the contract term.
They will also often want full oversight of such security measures and want their IT or data security teams to review the same
Often, controllers will try to impose specific security standards on their processors – and sometimes quite extensive ones. As such, controllers are likely to ask processors to include various data security measures in their agreements. Processors may push back on the basis that the controller’s requests do not reflect the actual security measures they have in place.
The security measures to be in the agreement are often heavily negotiated. This will often come down to how far a processor can assure a controller they have appropriate security to keep their data secure. As a processor, you should be prepared to answer a customer’s questions about your security measures and commitments as a business – this will form a key part of the customer’s supplier due diligence. - Sub-processors
Processors need prior authorisation from controllers before they can appoint further third-party sub-processors. Often, processors will insist upon having general authorisation to appoint sub-processors from time to time. However, controllers will want control over which sub-processors are appointed and a clear and reasonable timeframe to reject the appointment of any sub-processors. Controllers will also often want remedies if they disagree with the appointment of a new sub-processor, such as the right to terminate the agreement. It is important to carefully discuss and negotiate the logistics of how this will work in practice under your agreement.
- Costs
Whilst a processor is obliged to assist a controller with complying with certain UK GDPR obligations under their contract, it is common for the parties to debate who will pay the costs. A processor could incur huge costs if every controller asked them to pay for their assistance.
- Audit rights and compliance monitoring
The extent of the controller’s audit rights over the data processor is often also negotiated – for example, which audit rights they have, how often audits can be carried out, whether sub-processors can be audited and who pays the costs.
Controllers may want regular compliance monitoring rights too – such as reports and ongoing evidence of compliance. - International transfers
Provisions around international data transfers of the controller’s data to countries outside the United Kingdom are also a common negotiation point, particularly where controller customers are concerned about their personal data being sent to certain countries. For instance, the controller may want to specify that their data remains stored and processed within the United Kingdom only. - Data breaches
The specific timeframes for notification of personal data breaches can be a negotiation point. Controllers are likely to push for tight time limits to notify them of breaches, such as immediately. However, processors may be unable to comply with such timeframes in practice, depending on their internal processes.
As highlighted above, controller-to-processor agreements are not straightforward, and the parties will often explore several key areas as part of their negotiations.
Practical strategies to negotiate controller-to-processor agreements
There are various practical considerations to explore when negotiating controller-to-processor agreements.
As part of your strategy, you should consider the following:
- Understand the types of personal data to be processed under the contract and its value. Consider the risks of what could go wrong if that data is compromised or misused.
- Know your baseline position, what you need from the counterparty and what you are willing to compromise on. To successfully negotiate controller-to-processor agreements, you should think about how the relationship between the parties will work in practice and be willing to be flexible. If you are a controller, for example, consider whether you really need an indemnity from the supplier to get your deal over the line.
- Remember that you need to balance data protection compliance and security with the ability to do business with processors. Overly onerous and stringent requirements on data processors may become too complicated and cause concerns.
Whilst you can bring several legal arguments to the negotiation table either as a controller or processor, think practically and commercially.
As a controller, you should not aim to create a contract that is so overly onerous that the supplier will not be able to comply with it and will refuse to do business with you.
- As a supplier, you should consider making sensible allowances to keep your controller customer happy – for example, by offering them comfort on critical issues such as liability, which is likely to be their biggest concern. In practice, adopting a ‘take it or leave it approach’ may not help you win customer trust.
Overall, both parties should work together to achieve a reasonable compromise and listen to each other’s concerns. Whilst controllers often demand very high standards of processors, a balance needs to be struck so that each party is comfortable with the agreement. Ultimately, the parties will need to reach a resolution to be able to do business with each other.
Further, protracted negotiations can cause delays and can incur significant costs. In the worst case, a negotiation approach which is too strict or onerous can even ‘kill the deal’ and lead to loss of business. As such, taking a risk-based and pragmatic approach may help businesses successfully negotiate controller-to-processor agreements more easily and faster.
Summary
Controller-to-processor agreements have been heavily negotiated since the GDPR came into force in 2018 and increased the risk around data processing for both controllers and processors.
Each controller-to-processor agreement should be considered on a case-by-case basis, depending on the risks of the processing involved. Data processors are unlikely to accept highly onerous terms, which are disproportionate to the risks of the data being processed.
When negotiating a controller-to-processor agreement, you should carefully review all the terms proposed and ensure you understand them and what is expected of you. If not, you could fall in breach of your contract and the other party could have various legal remedies against you.
Overall, the parties negotiating controller-to-processor agreements should take a commercial and pragmatic approach. The end goal is to reach an agreed set of terms to do business together. You are far more likely to achieve this by being reasonable and open to compromise and adopting a collaborative approach.
If you need help with negotiating a data processing agreement, contact our experienced Data Privacy experts.
