What must I agree with my processors to be compliant for GDPR? #GDPR

You must have a contract or other legal provision which ensures they are GDPR compliant and if they are not in the UK, additional requirements may apply.

In brief, the contract must include or stipulate:

  1. Documented instructions from the data controller, which includes transfers to a third country or international organisation;
  2. Ensure that persons authorised to process the personal data have committed themselves to confidentiality or under a statutory obligation of confidentiality, for example, pharmacists and pharmacy technicians;
  3. Ensure the processor takes all the GDPR measures necessary for processing personal data securely;
  4. The processor must agree not to pass personal data to another processor except with the prior written authorisation of the data controller and if given, apply the same data protection requirements to the contract with the additional processor;
  5. The processor must assist the data controller in complying with data subject rights.
  6. The processor assists the controller in complying with obligations relating to security and data breaches.
  7. At the choice of the data controller, the processor will delete or return all personal data at the end of the contract/provision of services, unless required by las to keep them;
  8. The processor will make available to the controlled all information necessary to demonstrate obligation such as audit and inspection conducted by the data controller or somebody mandated by the controller.

Processors may not pass the personal information to a third party – another processor – without prior written authorisation from the data controller; and if this is permitted the contract with the additional processor must include the same data protection requirements as the original contract.

View our GDPR page for more information