Data Controllers cannot sub-contract their obligations under data legislation


Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities and obligations under the GDPR to ensure the security of any processing undertaken by it or on its behalf.

The fine of £275,000 was issued to Doorstep Dispensaree Limited (“Doorstep”), a pharmaceutical company that supplies medicines to care homes. In July 2018, the Medicines and Healthcare Products Regulatory Agency (“MHRA”) under separate investigation had found some 500,000 documents in unlocked containers at the back of the company’s premises in an open courtyard. It was as a result of the MHRA discovering and subsequently notifying the ICO that the fine was issued to Doorstep for failing to ensure the security of special category data.

The documents, the dates of which spanned over two years from January 2016 to June 2018, contained personal data such as customer’s names, addresses, dates of birth, NHS numbers and special category data such as medical and prescription information.

Doorstep was found to have processed personal data in contravention of a number of provisions of the GDPR, all of which together were serious enough to warrant a fine. However, what is of note is the fact that Doorstep sought to allege that any penalty should be issued against Joogee Pharma Limited (“Joogee”), a licensed waste disposal company operating under contract to Doorstep. Doorstep had explained to the ICO that it employed a company to collect and shred the medical data on its behalf. However, there was no contract between Doorstep and the company and some of the data dated back to 2016 and had remained unshredded.  

Ultimately, the ICO determined that Joogee was a data processor acting on the instructions of Doorstep and carrying out data processing on its behalf. The ICO confirmed that it was appropriate to issue the penalty against Doorstep on the basis that it is Doorstep as controller that determines the purpose and means of the processing. The lesson to be learnt by all data controllers is that the presence of a sub-contractor does not absolve them of their responsibilities and obligations under the GDPR to ensure the security of any processing undertaken by them or on their behalf.

This begs the question; do you know whether your third party suppliers adhere to data standards and do you have sufficient contracts, policies, procedures and protections in place to help minimise the increased risks of data breaches through your supply chain? Please take a look at our article on the importance of supply chain security in SC magazine (register for free) if you’d like to know more.


Get in touch

Related insights & events

View all

Hot topics

Related services