Kristie
I will assume existing contracts are fully compliant with P7 as explained in Schedule 1 Pat 2 of the 98 Act.
Firstly you are confusing two different things. Acting on your written instructions refers to instructions about the processing of personal data and does not mean you can unilaterally change the terms of the contract. That is something different.
Acting on your instructions in relation to processing is preserved from 98 but now also needs to be documented. So clarify your instructions (you could use the template in Annex A Part 2 of the Crown Procurement Service PPN) in writing and issue those even if the contract terms are still in the air. Any departure from those you report to the ICO. In many cases they could even be committing a criminal offence - taking actions without original controller authority - and as Tim says become a controller themselves.
As to the contract terms that is trickier. Firstly you need to look at what if anything your existing contract says about variation and dispute procedures. Secondly you need to be clear whether their terms do or do not comply with Article 28.
The things that need to be in, but where not required as such under P7 I would summarize as follows (many contracts have some of these anyway even though was never legally required e.g. control of sub-processors))
* instructions to be DOCUMNTED
* employee confidentiality provision
* no sub-p w/o authority
* assist with SAR and other rights
* delete or return
* demonstrate compliance and allow audit
If the terms they are proposing meet these requirements, even if not quite how you would like it, then subject to your existing variation and dispute clauses there is little you can (or need to) do. You will be compliant from 25 May.
If they do not meet requirements then you have a problem if your existing variation and dispute terms are non-existent or not robust enough. Generally changes to the law cannot retrospectively change contracts but the position is complicated - see e.g. https://www.out-law.com/en/topics/projects--construction/construction-contracts/variations-to-contracts-and-changes-in-the-law/ If pushed I would guess our courts might imply a term into the original contract that the parties would comply with DP law as applicable at any time in which case you would have a method for forcing change. If the terms are inadequate and they will not budge and it is mission critical you need (a) to engage a good contract lawyer and (b) I would report to ICO after 25 May and seek ICO advice. Don't be too afraid of your supplier - they are unlikely to pull the plug. They would potentially face a huge action from you for breach if they did.
If it's any consolation a good proportion of changes proposed by processors I have rejected as being inadequate. Mine have so far bowed down in the face of a proper explanation of why. I have also had many good ones - which saves me a lot of time as a controller and in practice where you have a processor acting nationally for many organisations it makes sense for them to "dictate" the terms.
One final caution - look at the WHOLE agreement. One processor (who supplied a web application) proposed good terms based on the PPN but also snuck in a clause reserving the right to change the specification of the app without notice - clearly incompatible with acting on our instructions for changes which affected the personal data - in theory they could e.g. have just deleted a whole data field from the app! They modified to exclude incompatible changes.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|