GDPR may require changes to Canadian data contracts


peter murphy headshot

Canadian businesses may need to account for the European Union’s wide-reaching General Data Protection Regulation (GDPR) in their processing contracts, Toronto business lawyer Peter Murphy tells

The GDPR came into effect in May last year, replacing the looser Data Privacy Directive (DPD) which had governed the handling of personal data within the EU for more than two decades.

Murphy, partner with Shibley Righton LLP, says Canadians may wonder why they must comply with a regulation from a foreign jurisdiction, but he explains that GDPR’s reach is extensive.

"The GDPR applies to any business that engages in data processing related to goods and services offered to EU residents, regardless of where their business is located," he says.

“It also applies to businesses that monitor the behaviour of individuals where the behaviour takes place in the EU,” Murphy adds. “Where the GDPR applies, Canadians may be surprised by some of the resulting requirements.”

Whatever difficulties that compliance with the new regulation imposes on data processing businesses in this country, Murphy says they can’t afford to ignore the GDPR, thanks to the eye-watering nature of its potential penalties. Under the GDPR, fines for non-compliance may be imposed in amounts up to the larger of four per cent of an organization’s global turnover, or 20 million euros — about $30 million Canadian.

“That’s way beyond any fines that may be awarded under Canadian privacy laws,” Murphy says.

Although companies that are currently in compliance with Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) face a smaller jump than their counterparts south of the border, Murphy says there is still a significant gap they will need to bridge to achieve GDPR compliance.

“Canadian privacy laws are more onerous than the American ones, but they still tend to be principle-based and open to interpretation, whereas the GDPR is more prescriptive and specific in terms of the obligations it imposes,” he says.

For example, Murphy says the GDPR divides its data processing requirements into two categories: those for “data controllers” who determine the purpose and means of processing certain personal data, and a separate set for “data processors,” who process data on behalf of controllers.

“It’s important to understand the distinction,” says Murphy, adding that the GDPR lays out specific requirements for inclusion in contracts concerning the processing of personal data. These requirements include the following:

  • Data processors must be obligated to process personal data based only on a documented instructions from the data controller: “Every instruction must be documented, so those given orally may not be sufficient,” Murphy says.

  • Persons authorized to process data must be subject to confidentiality requirements.

  • Data controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which may include the use of encryption, the ability to restore the availability and access to personal data in the event of a physical technical incident and a method for security testing and assessment.

  • The contract must stipulate that the data processor will assist the data controller by the appropriate technical and organizational means to respond to requests concerning the data subject’s rights, which includes their rights of access, rectification of errors, data portability, and to be forgotten. “These requirements are not only more explicit than in PIPEDA but go beyond the requirements in that legislation,” Murphy says.

  • Processors must be obligated to assist controllers in complying with their data protection impact assessments and breach notification obligations under the GDPR, both to government authorities and individual data subjects.

  • Data processors must be obliged to delete or return all personal data to the controller after the end of their provision of service, at the data controller’s request.

  • Data processors must be required to make available all the information necessary for a data controller to demonstrate compliance with these GDPR requirements and allow for compliance audits.

Murphy says that covering the GDPR properly in data processing contracts is more than just an exercise in legal compliance.

"Complying with these requirements may impose unanticipated costs on one or more parties to these agreements,” Murphy says. “Taking the GDPR's requirements into account is of great importance now that the GDPR is in force, not only to avoid fines but also to properly allocate obligations arising from compliance and related costs among the parties to data processing contracts.”