Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Ireland: An overview of Vendor Privacy Contracts

Xanya69 / Essentials collection / istockphoto.com

 

1. Governing Texts

1.1. Legislation

1.2. Regulatory authority guidance

The European Data Protection Board ('EDPB') has released:    

The Data Protection Commission ('DPC') has issued the following guidance:

1.3. Regulatory authority templates

The European Commission has released the following decisions on standard contractual clauses ('SCC') for transfers of personal data to jurisdictions outside of the EU/EEA:

The Article 29 Working Party ('WP29') released the following documents, which have been endorsed by the EDPB:

2. Definitions

Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Article 80(1) of the DPA states that a controller shall engage a processor to carry out processing on its behalf only where the processing is carried out, subject to Section 80(3) of the DPA, in pursuance of a contract in writing between the controller and the processor that provides for the matters specified in Section 80(2) of the DPA.

Section 80(3) of the DPA provides that Section 80(1) of the DPA shall not apply in relation to processing where the form of the processing and the role of the controller and the processor concerned are otherwise specified in the law of the European Union ('EU') or the law of the State.

3.2. What content should be included?

Article 80(2) of the DPA requires a contract entered into between a controller and a processor in accordance with Section 80(1)(a) of the DPA shall;

  • specify the subject matter, duration, nature and purpose of the processing to be carried out thereunder;    
  • specify the type of personal data to be processed thereunder and the categories of data subjects to whom the personal data relate;    
  • specify the obligations and rights of the controller in relation to the processing; and   
  • provide that the processor shall:                          
    • act only on instructions from the controller in relation to the processing, except in so far as the law of the EU or the law of the State requires the processor to act otherwise;            
    • procure the services of another processor in relation to the processing only where authorised to do so in advance and in writing by the controller, which authorisation may be specific or general in nature;            
    • ensure that any person authorised to process the personal data has undertaken to maintain the confidentiality of the personal data or is under an appropriate statutory obligation to do so;         
    • assist the controller in ensuring compliance with the Act in so far as it relates to the exercise by a data subject of his or her rights;            
    • erase or return to the controller, at the election of the controller, all personal data upon completion of the processing services carried out by the processor on behalf of the controller and erase any copy of the data, unless the processor is required by the law of the EU or the law of the State to retain the data; and            
    • make available to the controller all information necessary to demonstrate compliance by the processor with Section 80 of the DPA.        

The practical guide to controller-processor contracts provides that there are a number of other provisions which controllers and processors may wish to include in data processing contracts, which are not mandatory for inclusion under the GDPR, including:    

  • liability provisions (including indemnities);    
  • detailed (technical) security provisions; and/or    
  • additional cooperation provisions between the controller and processor.

The practical guide to controller-processor contracts goes on to add that such additional provisions may be agreed between controllers and processors on a case-by-case basis.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

Section 80(2)(d)(iv) of the DPA provides that a contract entered into between a controller and a processor shall provide that the processor will assist the controller in ensuring compliance with the DPA in so far as it relates to the exercise by a data subject of their rights.

For further information see Ireland - Data Subject Rights.

For further information on data subject rights under the GDPR see EU-GDPR Data Subjects Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Section 81(2) provides that a processor shall create and maintain a record in writing of each category of processing activity carried out by the processor on behalf of a controller containing the following information:    

  • the identity and contact details of:                          
    • the processor,            
    • each controller on behalf of which the processor is carrying out the processing, and            
    • the processor's data protection officer, where applicable;            
  • a description of each category of processing carried out on behalf of each controller;    
  • details of any transfer of personal data to a third country or an international organisation, if applicable, including the identification of the third country or international organisation to which the data are transferred; and    
  • where possible, a general description of the technical and organisational security measures implemented in respect of the processing activity in accordance with Section 72(1) of the DPA.

Section 81(3) of the DPA goes on to state that a controller or processor shall, where requested to do so, make a record created and maintained pursuant to Sections 81(1) or 82(2), as the case may be, available to the DPC for inspection and examination.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Section 80(1)(b) of the DPA emphasises A controller shall engage a processor to carry out processing on its behalf only where the processor provides sufficient guarantees to implement appropriate technical and organisational measures to ensure that the processing shall comply with the provisions of the DPA, and the rights and freedoms of the data subjects are protected.

Moreover, Section 78 of the DPA provides that For the purposes of determining the appropriate technical and organisational measures in relation to personal data that are required to be taken by a controller or processor in order to ensure compliance with the DPA the controller or processor, as the case may be, shall, where relevant, have regard to the following matters:    

  • the nature of the personal data concerned;    
  • the accessibility of the data;    
  • the nature, scope, context and purpose of the processing concerned;    
  • any risks to the rights and freedoms of individuals arising from the processing concerned;    
  • the likelihood of any such risks arising and the severity of such risks;    
  • the state of the art and the cost of implementation; and    
  • guidelines, recommendations and descriptions of best practice issued by the DPC or the EDPB.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

Article 85 of the DPA confirms that where a processor becomes aware of a personal data breach, the processor shall notify the controller on whose behalf the data are being processed of the breach in writing, and without undue delay.

For more information see Ireland - Data Breach.

For further information on breach notifications under the GDPR, see EU – GDPR – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

Section 80(4) of the DPA states that where a controller gives an authorisation, whether specific or general in nature, to a processor, including a secondary processor to procure the services of a secondary processor, the procuring processor shall inform the controller, and where relevant, any processor who procured the services of the procuring processor in relation to the processing concerned in in advance of any such procurement or of a change in the terms of such procurement.

Moreover, Section 80(5) of the DPA emphasises that where a secondary processor procures the services of a secondary processor to carry out processing on behalf of a controller, Sections 80(1) and 80(2) shall apply to the secondary processor and the secondary processor, subject to the modifications mentioned in Section 80(5).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Section 96(4) of the DPA stipulates that without prejudice to the generality of Section 71 of the DPA, a processor shall not transfer personal data to a third country or an international organisation, or to a recipient in a third country, unless explicitly instructed in writing to do so by the controller.

Following the publication of the CJEU's judgment C-311/18 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems ('Schrems II') on 16 July 2020, which generally validated the SCCs while invalidating the EU-US Privacy Shield data transfer certification mechanism, the EDPB has released its Recommendations on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, as well as complementary Recommendations on the European Essential Guarantees for Surveillance Measures, aimed to assist controllers and processors to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses'.

For further information on data transfers under the GDPR, see: EU – GDPR – Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

Section 83 of the DPA emphasis that a controller or a processor shall on request by the DPC, cooperate with, and assist the DPC in the performance of its functions under the DPA.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Data Protection Officer ('DPO')

There are no national variations.

For more information see Ireland - Data Protection Officer Appointment.

Representative

There are no national variations.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

There are no national variations.


Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.

Feedback