Data Processing Agreement (UK to Non-EEA)
UK data protection legislation, consisting chiefly of the UK GDPR and the Data Protection Act 2018, requires that all data processing carried out by a data processor on behalf of a data controller is covered by a written contract.
This document has been comprehensively updated. It is compatible with the UK GDPR and also includes more detailed provisions, helping to ensure that both parties have clear instructions regarding the processing of the personal data. It also includes a version of the EU Commission’s Standard Contractual Clauses with contextual amendments made by the ICO which make them more suitable for UK use under the UK GDPR.
Personal data processing may take place within the context of a broader range of services. This agreement can be used as a standalone document, with such services described in a schedule, or in conjunction with a separate service agreement. Options are included for both and should be selected accordingly.
This Data Processing Agreement is designed for use where a data controller in the UK collects and uses personal data (about its customers or staff, for example), and wishes to engage a data processor located outside the EEA (to a “third country”) to process that personal data on its behalf.
It is important to note that the while UK is no longer part of the EU or EEA, transfers of personal data from the UK to EEA countries is permitted to continue unrestricted. Transfers to non-EEA countries, however, must conform with additional rules. If you are using a data processor located in the UK or EEA, an alternative Data Processing Agreement template is available.
Personal data can be transferred to third countries on various bases. The role played by such measures is to safeguard the personal data and the rights of individuals either by ensuring that the destination country has adequate data protection laws of its own, or by other means.
In addition to the aforementioned transfers to the EEA, personal data can also be transferred to countries which, as at 31 December 2020, were covered by an EU Commission “adequacy decision”. Such adequacy decisions will be kept under review by the UK government. Now that the UK has left the EU, future adequacy decisions – now known in the UK as “adequacy regulations” – can be made by the UK government.
Alternatively, other safeguards may provide suitable protection, such as binding corporate rules, standard contractual clauses (see below), contractual clauses agreed and authorised by the ICO, compliance with an approved code of conduct (e.g. one approved by the ICO), or certification under an approved certification mechanism. (Please note that this is a non-exhaustive list.)
Standard Contractual Clauses or “SCCs”, at present, are those issued by the EU Commission in 2010. Provision has been made to allow continued use of these for restricted transfers of personal data from the UK. The ICO is intending to consult on and publish new UK SCCs this year, and the consultation is reportedly to begin in the summer.
It is very important to note that the recent Schrems II decision will apply to controllers wishing to make data transfers from the UK using the current SCCs. According to this decision, you must undertake an assessment to determine whether or not the SCCs provide a level of protection which is “essentially equivalent” to the level of protection under the UK data protection regime and, if necessary, put additional measures in place. This is a complex exercise and should not be undertaken lightly. Professional advice should be sought in the case of any doubt.
This document addresses a number of scenarios and includes, as noted above, a version of the SCCs with minor contextual amendments made by the ICO. The ICO makes the SCCs available for download and includes user friendly guidance for each clause within the same document. This document can be downloaded from the ICO’s website, here .
If you opt to use SCCs as the legal basis for processing personal data outside of the EEA, the details required in the SCCs attached to this document as Schedule 5 should be completed in full. Please also note that the wording of the SCCs should not be changed (although you are able to make limited additions of your own, as explained in the ICO’s guidance, linked to above). We have not changed the wording with the exception of including our customary prompts for you to enter information. Note also that we have included the optional indemnity clause from the SCCs and an optional “Priority of standard contractual clauses” clause. This has been included to complement clause 2.4 in the main agreement. If you wish to use the clause, the square brackets around it should be removed. If you do not wish to use it, it should be removed, along with the square brackets.
It should also be noted that the SCCs, if used, are to be used in addition to the main body of this Data Processing Agreement, not instead of it. The SCCs currently in effect have not been updated in line with the EU or UK GDPR (the EU Commission is currently consulting on new SCCs, and the ICO will be soon, as noted above.) The provisions of the main agreement, therefore, are designed to comply with the UK GDPR’s requirements.
Data processing agreements are designed to carefully regulate the activities of data processors with respect to personal data, with a particular emphasis on their compliance with applicable data protection legislation, most notably, the UK GDPR. Key features required (and included in this template) include:
- Details of the subject matter, nature, purpose, and duration of the data processing;
- Details of the type(s) and categories of personal data and data subjects;
- Processors must act only on written instructions from controllers;
- Personnel processing personal data must be subject to obligations of confidence;
- The processing must take place securely, with suitable organisational and technical measures in place;
- Processors can only subcontract the processing of personal data with the consent of the controller, and only then under a written contract that imposes the same obligations on the subcontractor as are imposed on the processor by the main contract;
- Processors must assist controllers in fulfilling their obligations under data protection law, including those relating to secure processing, data breaches, impact assessments, and the exercise by data subjects of their rights under the UK GDPR;
- Personal data must be deleted (or otherwise disposed of) appropriately by processors at the end of the contract; and
- Processors must comply with audits and other inspections carried out by the controller in order to verify compliance with the law and with the contract.
Another important requirement which many processors must comply with relates to record-keeping. This is addressed in clause 13.2 of the template. Note, however, that the clause is optional (enclosed in square brackets). This is because the UK GDPR states that requirement applies only if the processor employs 250 people or more or (if fewer) if the processing is likely to result in a high risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special category personal data or personal data relating to criminal convictions or offences.
Notwithstanding the above exception concerning records, processors are still required to make available all information to controllers that is necessary to demonstrate compliance with the law. Keeping records may, therefore, be of value whether strictly required by the UK GDPR or not.
Further provisions in this Data Processing Agreement govern liability and indemnity and, in this case, have been written to strike a balance between the data controller and data processor.
Please note that transferring personal data to territories outside of the UK or EEA is a highly complex legal area. This template has been designed to assist in compliance with the UK’s data protection legislation when processing personal data in third countries, but obtaining legal advice is strongly recommended. The ICO also provides help and guidance for SMEs.
Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.
This Data Processing Agreement (UK and UK to EEA) contains the following clauses:
1. Definitions and Interpretation
2. Scope and Application of this Agreement
3. Provision of the Services and Processing Personal Data
4. The Data Processor’s Obligations
6. Employees [and Data Protection Officer[s]]
7. Security of Processing
8. Data Subject Rights and Complaints
9. Personal Data Breaches
10. Cross-Border Transfers of Personal Data
11. Appointment of Subcontractors
12. Return and/or Deletion or Disposal of Personal Data
13. Information [and Records]
16. Liability and Indemnity
17. Term and Termination
19. Law and Jurisdiction
and the following schedules:
2. Personal Data
3. Technical and Organisational Data Protection Measures
4. Legal Basis for Processing Personal Data Outside the EEA
5. Standard Contractual Clauses (including Annexes)
This document is unlocked and in .doc format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.