The Processor shall provide reasonable assistance to the Controller in complying with its obligations under the Data Protection Legislation, including: (a) promptly informing the Controller of any communication from a data subject regarding the processing of their personal data under this Agreement; (b) promptly complying with any request from the Controller requiring the Processor to amend, transfer or delete the personal data; (c) making available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allowing for and contributing to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
Here is a plain English explanation of the Assistance to the Controller clause:
This clause requires the Processor to help the Controller comply with data protection laws when processing personal data under the contract.
Specifically, the Processor must:
- Promptly tell the Controller if any data subject contacts them about how their personal data is being processed.
- Quickly follow any Controller requests to change, transfer, or delete personal data.
- Provide the Controller with any information needed to show compliance with GDPR Article 28. This includes participating in audits and inspections of data processing activities.
In simple terms, this clause obligates the Processor to assist the Controller in meeting data protection requirements and responding to data subjects' rights requests relating to the personal data processing under the contract.
The Processor must enable auditing and provide documentation demonstrating legal compliance.
The historical background behind assistance to the controller clauses stems from developments in data protection laws in the late 20th century.
As computing advanced and more personal data was processed, new privacy risks emerged.
In the 1970s, countries like Sweden and Germany enacted early data protection laws recognizing individuals' rights over their personal information. However, oversight and enforcement mechanisms were limited.
In the 1980s-90s, the EU pursued harmonized data protection standards across member states. This led to the 1995 EU Data Protection Directive, which introduced key principles like lawful processing grounds and data subject rights. But operational guidance for entities processing data was still minimal.
Realizing detailed obligations were needed for entities handling personal data, the EU included more prescriptive processor requirements in the GDPR replacing the Directive in 2016. GDPR Article 28 now specifies processors must assist controllers with compliance, audits, and responding to data subjects, codifying these duties.
Including assistance clauses in contracts became vital for allocating liability between controllers and processors per GDPR accountability rules. They uphold the duties in Article 28 and provide controllers recourse if processors mishandle data.
As data processing activities outsourcing increased, properly instructing processors in contracts grew more crucial.
Reflecting this, modern standard clauses now commonly include specific assistance to the controller provisions to contractually bind GDPR Article 28 mandates.