12. Appointing Contractors Who Access The College's Personal Data
12.1. If the College appoints a contractor who is a Processor of the College’s Personal Data, Data Protection Laws require that the College only appoints them where the College has carried out sufficient due diligence and only where the College has appropriate contracts in place.
12.2. One requirement of GDPR is that a Controller must only use Processors who meet the requirements of the GDPR and protect the rights of individuals. This means that data protection due diligence should be undertaken on both new and existing suppliers. Once a Processor is appointed they should be audited periodically to ensure that they are meeting the requirements of their contract in relation to Data Protection.
12.3. Any contract where an organisation appoints a Processor must be in writing.
12.4. You are considered as having appointed a Processor where you engage someone to perform a service for you and as part of it they may get access to your Personal Data. Where you appoint a Processor you, as Controller remain responsible for what happens to the Personal Data.
12.5. GDPR requires the contract with a Processor to contain the following obligations as a minimum:
12.5.1. to only act on the written instructions of the Controller;
12.5.2. to not export Personal Data without the Controller’s instruction;
12.5.3. to ensure staff are subject to confidentiality obligations;
12.5.4. to take appropriate security measures;
12.5.5. to only engage sub-processors with the prior consent (specific or general) of the Controller and under a written contract;
12.5.6. to keep the Personal Data secure and assist the Controller to do so;
12.5.7. to assist with the notification of Data Breaches and Data Protection Impact Assessments;
12.5.8. to assist with subject access/individuals rights;
12.5.9. to delete/return all Personal Data as requested at the end of the contract;
12.5.10. to submit to audits and provide information about the processing; and
12.5.11. to tell the Controller if any instruction is in breach of the GDPR or other EU or member state data protection law.
12.6. In addition the contract should set out:
12.6.1. The subject-matter and duration of the processing;
12.6.2. the nature and purpose of the processing;
12.6.3. the type of Personal Data and categories of individuals; and
12.6.4. the obligations and rights of the Controller.