GDPR (16) Managing risks associated with subcontractors and data processing agreements

12 December 2017

As we noted previously in this blog, risks can arise, and therefore security measures need to be taken, when companies and organisations engage subcontractors. The GDPR is very clear on this point. Although subcontractors have their own responsibilities and a number of obligations, a data controller that engages a subcontractor in the role of processor always remains responsible for the data. The controller must select each subcontractor carefully and guarantee the performance of the contract, it must clearly formulate and define the relevant task, and it must verify that the subcontractor complies with its instructions and the legislation, particular with respect to security.

In recent years there has been a growing awareness among information security specialists that subcontractors always pose a risk. It is therefore unsurprising that the GDPR pays plenty of attention to this issue.

Various steps need to be taken in the different phases of a working relationship.

When selecting suppliers, attention must always be paid to data protection and information security. The controller must make sure that any subcontractor it intends to engage is aware of its obligations and can fulfil them adequately. There is no system of certification to prove a company is ‘GDPR compliant’, and I have not heard of any specific plans to introduce such a system. That said, the official bodies are encouraging professional associations to draw up codes of conduct that people can sign to show they know the rules and are prepared to follow them, and questionnaires are increasingly being used in selection procedures and in tender documentation. It is, of course, possible to obtain a certification in the area of information security, but the certification paths are highly geared towards large organisations and are not a viable proposition for every company or organisation. Always ask your future supplier about its information security policy and the applicable measures, and include both aspects in your selection criteria. Finally, keep records of the documentation you have collected.

When assigning a task, it is essential that you have some contractual clauses on data protection. The best way to do this is in the form of a data processing agreement. This may be an appendix to another contract or a framework agreement. Some general clauses can also be incorporated in your general terms and conditions, of course. Even if you have been working with a subcontractor for a long time, you still need to ensure that the subcontractor complies with the GDPR. Given the differences between the GDPR and the previous legislation, which placed less emphasis on the processor’s obligations, it is advisable to draw up an amended version of your data processing agreement.

All such data processing agreements need to include the following clauses:

  • The principal is assigned the role of controller, and the contractor/supplier/subcontractor is assigned the role of processor.
  • The processor may use the data only in accordance with the controller’s formal (preferably written) instructions.
  • The processor respects the confidentiality of the data and also imposes this obligation on all its temporary and permanent staff.
  • The processor must offer an adequate level of data protection and ensure that the data are, and remain, available for the task (using backups and measures to ensure continuity).
  • The controller must be informed immediately in the event of a data breach, and there must be a procedure in place to limit the impact of the breach. No information may be provided to the Privacy Commission or data subjects by the processor itself.
  • The processor must remove the data once the task (or the agreed retention period) has ended, and it must also be able to demonstrate that it has done so. Where applicable, it must also return the data to the controller.
  • Data must not be passed on to third parties unless the controller has given its consent. If the processor engages a subcontractor with the controller’s approval, it must ensure that the subcontractor accepts the same obligations as those set out in the data processing agreement.
  • The processor permits the controller to monitor the proper performance of the contract by carrying out assessments or audits.

As a smaller organisation, you might be able to benefit from work done by your larger suppliers, which have probably already drafted their own standard processor contracts to present to their clients. At our company, we have taken steps to ensure that our customers do not have to go to great lengths themselves to find out what the rights and obligations of the controller (principal) and processor are. We have attempted to draw up a balanced contract, which we will present to our customers in good time. We have already made a start on this, and in our role as processor we have committed ourselves to applying the GDPR in full today, even though 25 May 2018 is still some way off.

Finally, the controller also has to check whether the processor fulfils the contract properly. In the case of longer-term contracts, it will have to verify whether this is the case on a regular basis. In connection with this, it is essential that the contractual agreements include the right to perform audits. Of course, this does not mean that controllers will have to audit all subcontractors every year themselves. Large organisations perform such audits – often much to the annoyance of their suppliers – at processors that they believe pose a high risk of a personal data breach or where a personal data breach would have a major impact. In many cases, it is sufficient to check whether the supplier’s certification is renewed every year. Alternatively, you can ask the supplier to complete and sign a questionnaire in which the measures taken by the supplier have to be summed up.

As with all aspects of this legislation, the actions to be taken must be weighed against the likelihood of an incident occurring and the potential impact this would have.


Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).

If you have any questions or comments, please write to us at