Commissioned processing under British data protection law

In contrast to data controllers, data processors are not subject to the provisions of the Data Protection Act (DPA) 1998 (ENG) provided this data is processed on behalf of the data controller. The decisive factor is that a data processor only processes the data on behalf of the data controller (see article 1 of the DPA).

In accordance with the explanations on the seventh principle of the DPA (cf. schedule I), the data controller must, in order to meet the legal requirements in terms of data protection,

  • choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
  • take reasonable steps to ensure compliance with those measures.

There are no indications in the DPA as to what “sufficient” means or how often the checks on complying with the measures are to be carried out. It depends on the type and scope of processing.

The British Information Commissioner (ICO), www.ico.org.uk has published a guide to data processing:

The explanations on the seventh principle require, furthermore, where processing of personal data is carried out by a data processor on behalf of a data controller, processing can only be carried out under a contract

  • which is made or evidenced in writing, and
  • under which the data processor is to act only on instructions from the data controller.

Furthermore, the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

The data processor must, in accordance with this, provide sufficient technical and organisational measures in order to protect personal data from unauthorised access and against any other form of illegal personal data processing.

If the data processor is tasked with processing data in a third-party country (outside the EU/EEA), the provisions of the eight principle on data transfer to third countries apply. This means that the data controller must ensure that any personal data transferred overseas remains adequately protected.