The minimum information needed for a processor to comply with its legal responsibilities, and for the controller to comply with Article 28, is to specify whether the data includes special categories of personal data. This raises the risk profile of the data set.
For personal data that does not fall into one of either:
- child data under Article 8;
- special Classes of Data under Article 9 (which adds biometric data and removes convictions data from the old DPA 1998); or
- convictions data under Article 10
then the controller will need to refer to the categories and types of data it uses to make sense of its information asset inventory and make sure processors can maintain that view for data they hold on the controller’s behalf.
Types and categories of data
When looking at the meanings of 'type' of personal data, in the context of Article 28(3) and Recital 81, and 'category', it is helpful to differentiate in the following terms:
‘Type’ |
‘Category’ |
Format, i.e. paper files, online profiles, etc. |
Personal v sensitive, i.e. address v health data |
Which data or data categories are processed |
‘HR leaders’ or ‘Team Leaders’ would be category of recipients |
Type of data may be regular or special type |
Category of affected persons is customers or employees, etc. |
Category of data is master data, payroll data, health data, etc. |
Rules for the processor’s contract with the controller
Article 28(3) is in the context of a processor's contract with the controller. The type of personal information has to be stated and can be: collected, observed, derived and special category. Article 28(3) (h) states the processor must ensure it: "makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article...", namely a report must be sourced.
The controller contract with a processor should not reveal any more about the structure of the data being provided than is needed for the processor to comply with its legal responsibilities. If the controller wishes to provide further information that the processor might require in order to carry out the technical tasks requested of it, then this should be provided in a separate document with a restricted circulation list.
Finally, it may be necessary to provide the controller with technical requirements and details to complement a Service Level Agreement. However, these do not need to be within a formal contract.
Contact our Data Protection and GDPR Lawyers Liverpool, Wirral, Merseyside and Across England & Wales
GDPR and data protection compliance requires an in-depth understanding of the rules and how to apply them in your business’s practices. That’s why it is vital that you seek specialist GDPR advice to ensure your business avoids fines for non-compliance. We provide a thorough service, providing practical advice and solutions from employment issues to third-party interactions. For a free initial consultation with our data protection and GDPR solicitors, contact us on 0151 659 1070 or complete our online enquiry form.