IR35, right of substitution vs subcontracting, and the GDPR

**tarbera** · 26 February 2018, 14:54

GDPR

Originally posted by CornishYarg View Post

Q2: Does the GDPR impact on the Right of Substitution?

Would like to know, though.

GDPR has same inpact on your right of substitution as the following laws

First law: A robot may not harm a human being, or, through inaction, allow a human being to come to harm.
Second law: A robot must obey the orders given to it by human beings, except where such orders would conflict with the First Law.
Third law: A robot must protect its own existence, as long as such protection does not conflict with the First or Second Law.

**northernladuk** · 26 February 2018, 15:03

So far so good. But generally my contracts say no subcontracting without the client's approval. Usually it's an emotive subject for them -

Did you have your contract checked by an IR35 specialist? RoS is one of the three major pillars for an outside IR35 status. If they can refuse for no reason it's a fail on that point.

given I'd still be on the hook for quality and delivery, not sure why.

You are joking right? Your company has a contract to which you are sent in on their behalf. You can't do it so your company sends in another substitute and you have no idea why you'd still be on the hook?

Reading the rest of the post I can't help thinking you don't really understand the relationships between you and your company, your company and your client, your client and you. Lot of odd questions being asked.

Q1: Is substituting different to subcontracting the work?

Look up the definition of subcontract and substitution and see if you can answer that question.

**Lance** · 26 February 2018, 15:04

Originally posted by CornishYarg View Post

My contracts have a Right of Substitution clause which I've never used. I've been looking at how it would work under GDPR - and found I don't understand how it works under current laws

RoS is a contractual term that has nothing to do with GDPR.

Originally posted by CornishYarg View Post

As often found in IT there's just me as the fee-earner in my company. If I had to substitute someone for me (for holiday or illness cover) I'd need to contract the work to someone I trusted - I can't tell Bob at the desk next to mine to do it.

So far so good. But generally my contracts say no subcontracting without the client's approval. Usually it's an emotive subject for them - given I'd still be on the hook for quality and delivery, not sure why. I digress.

Q1: Is substituting different to subcontracting the work?

This is a pressing question because of Article 28(2) of the GDPR. Due to the information I see on their systems, I am a data processor for my clients (the data controller).

You're almost certainly not the 'data processor' for your client in either GDPR or DPA terms.

Originally posted by CornishYarg View Post

Article 28(2) says

Because there's only me, substituting would mean subcontracting out the work, which would be engaging another processor, which requires the written authorisation of the controller.

Which I read as invoking the "prior, written approval" problem for substitution.

Q2: Does the GDPR impact on the Right of Substitution?

In all of this I don't know what the current situation is under the Data Protection Act 1998 (DPA) re substitution and I haven't been able to find out. Ditto for subcontracting, though I've seen (and done) subcontracting without a thought other than to ensure the subcontractor has signed an NDA/knows what's confidential/takes good care of any personal data.

Would like to know, though.

you're barking up the wrong tree with the wrong of the stick, and had someone's eye out with a papercut (they hurt).

**CornishYarg** · 26 February 2018, 15:27

Originally posted by northernladuk View Post

Did you have your contract checked by an IR35 specialist? RoS is one of the three major pillars for an outside IR35 status. If they can refuse for no reason it's a fail on that point.

It went through an IPSE review.

You are joking right? Your company has a contract to which you are sent in on their behalf. You can't do it so your company sends in another substitute and you have no idea why you'd still be on the hook?

You've got what I meant totally the wrong way round. I'm saying I'm on the hook, operating as an external company providing services, and I don't get the objection of many clients to my company subcontracting work.

Reading the rest of the post I can't help thinking you don't really understand the relationships between you and your company, your company and your client, your client and you.

Great - look forward to you unpacking that.

Look up the definition of subcontract and substitution and see if you can answer that question.

Did that before posting here. I'm not stupid, I don't set myself up for ridicule except as a last resort. This was one: https://forums.contractoruk.com/publ...ml#post2386687

But given I'd have to subcontract to substitute, the two are entwined.

**Lance** · 26 February 2018, 15:29

Originally posted by CornishYarg View Post

But given I'd have to subcontract to substitute, the two are entwined.

You could employ someone to substitute. That's the usually implied meaning (or what I have inferred).

**malvolio** · 26 February 2018, 15:31

Just to be clear, since it's not certain that you are:

Sub-contracting - you hire someone to do part or all of the work required by your contract under a separate commercial agreement between YourCo and TheirCo.

Substitution - you hire someone to work under the terms of YourCo's existing contract and you (presumably) take a portion of their fees. They can be contractors in their own right or (probably not such a good idea) an employee of yours.

Neither has any obvious impact on GDPR but I'm no expert on that side of it.

**CornishYarg** · 26 February 2018, 15:34

Originally posted by Lance View Post

RoS is a contractual term that has nothing to do with GDPR.

Sure. But if I need to contract someone to fulfill the substitution, and 'data processor'ing is involved, then the GDPR touches on it.

You're almost certainly not the 'data processor' for your client in either GDPR or DPA terms.

The doubt came about after calling the ICO's helpline. My company has access to personal data to fulfil tasks for clients (analyse logs, copy data between databases etc), and because I am not an employee of the client but a distinct legal entity, their "it sounds like..." was that I would fall as a data processor, complete with the need for processing agreements with each client.

Not heard that one before, so posting here.

you're barking up the wrong tree with the wrong of the stick, and had someone's eye out with a papercut (they hurt).

I really hope so, because both on the 'data processor' front and 'substitution', it'll be a PITA if not

**Lance** · 26 February 2018, 15:43

Originally posted by CornishYarg View Post

Sure. But if I need to contract someone to fulfill the substitution, and 'data processor'ing is involved, then the GDPR touches on it.

The doubt came about after calling the ICO's helpline. My company has access to personal data to fulfil tasks for clients (analyse logs, copy data between databases etc), and because I am not an employee of the client but a distinct legal entity, their "it sounds like..." was that I would fall as a data processor, complete with the need for processing agreements with each client.

Not heard that one before, so posting here.

I really hope so, because both on the 'data processor' front and 'substitution', it'll be a PITA if not

Rather than ring the ICO helpline I suggest you talk to the client's Data Controller.

Being a distinct legal entity shouldn't make you responsible IMO unless you were taking the data off-site to process on your own systems (I assume you're using client's systems and processes).

IANAL

EDIT: I still don't think it has a bearing on RoS.

**tarbera** · 26 February 2018, 16:04

lol

Originally posted by CornishYarg View Post

Sure. But if I need to contract someone to fulfill the substitution, and 'data processor'ing is involved, then the GDPR touches on it.

The doubt came about after calling the ICO's helpline. My company has access to personal data to fulfil tasks for clients (analyse logs, copy data between databases etc), and because I am not an employee of the client but a distinct legal entity, their "it sounds like..." was that I would fall as a data processor, complete with the need for processing agreements with each client.

Not heard that one before, so posting here.

I really hope so, because both on the 'data processor' front and 'substitution', it'll be a PITA if not

My original Reply stands

I have just shown this thread to my highly trained £1.5K/day team of GDPR Lawyers

They have asked If they can have your consent to use in a upcoming "Funny" section of an upcoming GDPR Conference? - PM me please

IR35, right of substitution vs subcontracting, and the GDPR