Date updated: Thursday 31st January 2019

The question of ‘When is a GDPR Contract required?’ arises when a school shares personal data with another entity. The general position is that it depends on the circumstances of the data sharing.

There are three main circumstances

Controller to processor

If you share personal data with another legal entity and such entity is your processor then the controller is required under Article 28 of the GDPR (and the new Data Protection Act 2018) to put a contract in place. Although the 1998 Act also required a contract to be in place in these circumstances, the GDPR requires a contract with a broader and more detailed list of terms. An analysis of the circumstances in each case will reveal whether you determine “the purposes and means of the processing”, which is the defining characteristic of control.

Joint controllers

When two or more parties jointly determine the purposes and means of processing data, under Article 26 of the GDPR an “arrangement” must be put in place between the parties. This scenario is quite rare but only an analysis of the circumstances will reveal whether this relationship applies.

Sharing between controllers

This situation is more common than people think and may apply where a legal entity with whom you share personal data is a controller of such shared personal data to some extent in its own right. Only a detailed analysis of the relationship will identify whether this is the case. For schools this situation usually (but not always) arises where there is a need to share certain specified data with the DfE, Ofsted and examination bodies. Data sharing between two controllers does not usually by law require a contract but it is not uncommon to agree certain contractual restrictions on the use of data when sharing data with other legal entities

As is often the case, there are always exceptions to the general position above, so please seek further legal advice.

Conclusion

In many situations, particularly in suppliers’ standard terms of business, organisations are adopting a hybrid approach which acknowledges the possibility of a controller to processor relationship but includes some targeted restrictions on data sharing to the extent that the other party is a controller. However, before committing to these terms, it is advisable to arrange a legal review as we have come across some problems:

  • Lack of clarity on whether the supplier is your processor – this creates difficulties when dealing, for example, with data subjects exercising their rights;
  • The supplier has cherry picked some and not all of the required terms of Article 28;
  • The supplier has limited its liability leaving a controller potentially exposed to third party claims without the ability to seek appropriate recompense from the processor;
  • The terms require indemnities from schools (often hidden in the small print supposedly specific to schools) – this is problematic on multiple levels particularly because the Education & Skills Funding Agency Academies Financial Handbook 2018 states that “Academy trusts must obtain ESFA approval beyond delegated authority limits before entering into …indemnities.”