GDPR and the Payroll Bureau

Data Protection Accountability

The General Data Protection Regulation (GDPR) places increased responsibilities on all those parties that process personal data. With this in mind, we consider payroll bureaus and how the GDPR will impact the contract between them and their clients.

Payroll bureaus process data on behalf of the client. In data protection terms, the client will be considered the data controller and the payroll bureau will be considered the data processor.

Current data protection legislation mostly addresses data controllers, giving them the responsibility to ensure compliance when entering into an agreement with a data processor. However, the GDPR approach is different. For the first time data processors have significant responsibilities and liabilities in their own right. Under the GDPR, data processors may be liable to damages or subject to fines and other penalties.

Considering this greatly increased accountability, payroll bureaus should be extra vigilant in ensuring that they have a water-tight contract with their client. Being so much more exposed under GDPR, payroll bureaus will want to make sure their obligations are precisely defined and agreed upon in the terms of service.

With this in mind we take a look at some of the new responsibilities being placed on data processors as well as what must be in the contract between a data controller and data processor.

Requirement for a written contract between data controller and data processor

Any contracts in place on 25th May 2018 will need to comply with the new GDPR requirements. This includes existing contracts that run past 25th May 2018.

Existing Legislation

Under existing data protection laws contracts between a controller and a processor; should be in writing, should require the data processor to only process data on the instructions of the data controller and to take appropriate measures to keep all personal data secure.

Contract requirements under GDPR

Under the GDPR the contract requirements are wider. The following will be mandatory terms to be included in contracts from 25th May 2018:

• Contracts must set out the:
  
  
• Subject matter and duration of the processing 
  
  
• The nature and purpose of the processing 
  
  
• The type of personal data and categories of data subject
  
  
• The obligations and rights of the controller
  
  
  
• The following mandatory contractual terms should also be included:
  
  
• The processor must only act on the written instruction of the controller (unless required by law to act without such instruction)
  
  
• The processor must ensure that people processing the data are subject to a duty of confidence
  
  
• The processor must take appropriate measures to ensure the security of processing
  
  
• The processor must only engage a sub-processor with the prior consent of the data controller and a written contract
  
  
• The processor must assist the data controller in meeting its GDPR obligations in relation to:
  
  
• the security of processing
  
  
• the notification personal data breaches and 
  
  
• data protection impact assessments
  
  
• The contract must include end of contract provisions in order to ensure the continued security of the personal data. The processor must delete or return all personal data to the controller as requested at the end of the contract. An exemption applies where the data processor is required by law to retain data. 
  
  
• The processor must submit to audits and inspections, provide the controller with whatever information it needs and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law. 
  
  
• As a matter of good practice, contracts should:
  
  
• State that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR
  
  
• Reflect any indemnity that has been agreed

In the future, standard contract clauses may be provided by the European Commission or supervisory authorities, however no standard clauses have as yet been drafted.

To assist payroll bureaus we have created a Data Protection Agreement which can be used as an addendum to any existing client agreement to ensure you meet your GDPR obligations. Click here for further details.

Statutory obligations on data processors

In addition to the above, payroll bureaus should be aware of the statutory obligations that will be imposed upon them as data processors under the GDPR. These are:

• Not to engage a sub-processor without prior written authorisation of the client
  
  
• To ensure there is a contract with the sub-processor containing the same data protection obligations that are imposed on the lead processor.
  
  
• Only to process data in accordance with the written instructions of the client.
  
  
• Where a payroll bureau makes determinations about the processing of the data without the instructions of the controller, they will be considered to be a data controller.
  
  
• Maintain records of data processing activities in accordance with the Regulations.
  
  
• To co-operate with the supervisory authority
  
  
• To implement appropriate security measures
  
  
• Inform clients of any data breaches without undue delay
  
  
• In certain circumstances designate a data protection officer
  
  
• Comply with restrictions regarding transfers of personal data outside of the Union
  
  
• To ensure certain minimum provisions in contracts with controllers
  
  

Sample Data Protection Agreement

Conclusion

In terms of GDPR readiness, a starting point for payroll bureaus will be to review their existing client contracts to ensure they contain the required mandatory clauses. If they do not, new contracts or a data protection addendum should be drafted and signed.