Q&As

Can a sub-contractor rely on Article 6(1)(b) of the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) as a lawful basis of processing when processing the relevant personal data as ‘processor’ on behalf of a controller where that controller has entered into the relevant contract that may form the lawful basis under Article 6(1)(b) of the GDPR with the data subject?

read titleRead full title
Published on LexisPSL on 01/06/2018

The following Commercial Q&A provides comprehensive and up to date legal information covering:

  • Can a sub-contractor rely on Article 6(1)(b) of the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) as a lawful basis of processing when processing the relevant personal data as ‘processor’ on behalf of a controller where that controller has entered into the relevant contract that may form the lawful basis under Article 6(1)(b) of the GDPR with the data subject?
  • Processing personal data for the performance of a contract
  • Use of processors generally

Processing personal data for the performance of a contract

In answering this Q&A, we assume the sub-contractor is acting as ‘processor’ and the other party as ‘controller’ as defined under the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR). For further information on the meaning of those terms, see Practice Note: Supply chains under data protection law—arrangements between controllers and processors.

As a general principle, Article 5(1) of the GDPR states that personal data shall (among other things): ‘be processed lawfully, fairly and in a transparent manner in relation to the data subject…’. Article 5(2) of the GDPR states: ‘The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1…’.

Articles 6(1) of the GDPR states:

‘Processing shall be lawful only if and to the extent that at least one of the following applies…(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract…’

The obligation to comply with Article 6(1) of the GDPR is read to fall on the controller rather than the processor (see, for example, the limited list of obligations under the GDPR which the UK Information Commissioner’s Office (ICO) have identified as falling on the processor in ‘Accountability and governance—Contracts’ of the ICO Guidance: Guide

Related documents:

Popular documents