Data Processing Agreement (UK and UK to EEA)
UK data protection legislation, consisting chiefly of the UK GDPR and the Data Protection Act 2018, requires that all data processing carried out by a data processor on behalf of a data controller is covered by a written contract.
This document has been comprehensively updated. It is compatible with the UK GDPR and also includes more detailed provisions, helping to ensure that both parties have clear instructions regarding the processing of the personal data.
This Data Processing Agreement is designed for use where a data controller in the UK collects and uses personal data (about its customers or staff, for example), and wishes to engage a data processor located in the UK or EEA to process that personal data on its behalf. The UK is no longer part of the EU or EEA, but transfers of personal data from the UK to EEA countries is permitted to continue unrestricted. Transfers to non-EEA countries, however, must conform with additional rules. An alternative Data Processing Agreement template is available for such processing activities.
Personal data processing may take place within the context of a broader range of services. This agreement can be used as a standalone document, with such services described in a schedule, or in conjunction with a separate service agreement. Options are included for both and should be selected accordingly.
Data processing agreements are designed to carefully regulate the activities of data processors with respect to personal data, with a particular emphasis on their compliance with applicable data protection legislation, most notably, the UK GDPR. Key features required (and included in this template) include:
- Details of the subject matter, nature, purpose, and duration of the data processing;
- Details of the type(s) and categories of personal data and data subjects;
- Processors must act only on written instructions from controllers;
- Personnel processing personal data must be subject to obligations of confidence;
- The processing must take place securely, with suitable organisational and technical measures in place;
- Processors can only subcontract the processing of personal data with the consent of the controller, and only then under a written contract that imposes the same obligations on the subcontractor as are imposed on the processor by the main contract;
- Processors must assist controllers in fulfilling their obligations under data protection law, including those relating to secure processing, data breaches, impact assessments, and the exercise by data subjects of their rights under the UK GDPR;
- Personal data must be deleted (or otherwise disposed of) appropriately by processors at the end of the contract; and
- Processors must comply with audits and other inspections carried out by the controller in order to verify compliance with the law and with the contract.
Another important requirement which many processors must comply with relates to record-keeping. This is addressed in clause 13.2 of the template. Note, however, that the clause is optional (enclosed in square brackets). This is because the UK GDPR states that requirement applies only if the processor employs 250 people or more or (if fewer) if the processing is likely to result in a high risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special category personal data or personal data relating to criminal convictions or offences.
Notwithstanding the above exception concerning records, processors are still required to make available all information to controllers that is necessary to demonstrate compliance with the law. Keeping records may, therefore, be of value whether strictly required by the UK GDPR or not.
Further provisions in this Data Processing Agreement govern liability and indemnity and, in this case, have been written to strike a balance between the data controller and data processor.
Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.
This Data Processing Agreement (UK and UK to EEA) contains the following clauses:
1. Definitions and Interpretation
2. Scope and Application of this Agreement
3. Provision of the Services and Processing Personal Data
4. The Data Processor’s Obligations
6. Employees [and Data Protection Officer[s]]
7. Security of Processing
8. Data Subject Rights and Complaints
9. Personal Data Breaches
10. Personal Data Transfers Outside of the UK [or the EEA]
11. Appointment of Subcontractors
12. Return and/or Deletion or Disposal of Personal Data
13. Information [and Records]
16. Liability and Indemnity
17. Term and Termination
19. Law and Jurisdiction
and the following schedules:
2. Personal Data
3. Technical and Organisational Data Protection Measures
This document is unlocked and in .doc format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.