Data Processing Agreement (UK to Non-EEA)
26 November 2023 Update: This document has been reviewed and updated for compatibility with the UK-US Data Bridge and other “partial findings of adequacy” relating to specific organisations, legislation, and frameworks.
UK data protection legislation, consisting chiefly of the UK GDPR and the Data Protection Act 2018, requires that all data processing carried out by a data processor on behalf of a data controller is covered by a written contract.
This document is compatible with the ICO’s International Data Transfer Agreement (IDTA). The IDTA is designed to replace the old EU Standard Contractual Clauses. For UK to non-EEA transfers, the ICO has two options for “data exporters” – the IDTA or the ICO’s International Data Transfer Addendum to the EU Commission’s current Standard Contractual Clauses.
If personal data is transferred to a non-EEA country and the use of such clauses is required, the completed clauses (e.g., the IDTA) should be attached to this document as a schedule. A template IDTA is available from Simply-Docs here or from the ICO’s website here. Please note that the IDTA is published under the Open Government Licence 3.0. It is available commercially from Simply-Docs for your convenience and can also be downloaded for free from the ICO.
Personal data processing may take place within the context of a broader range of services. This agreement can be used as a standalone document, with such services described in a schedule, or in conjunction with a separate service agreement. Options are included for both and should be selected accordingly.
This Data Processing Agreement is designed for use where a data controller in the UK collects and uses personal data (about its customers or staff, for example), and wishes to engage a data processor located outside the EEA (to a “third country”) to process that personal data on its behalf.
It is important to note that the while UK is no longer part of the EU or EEA, transfers of personal data from the UK to EEA countries is permitted to continue unrestricted. Transfers to non-EEA countries, however, must conform with additional rules. If you are using a data processor located in the UK or EEA, an alternative Data Processing Agreement template is available.
Personal data can be transferred to third countries on various bases. The role played by such measures is to safeguard the personal data and the rights of individuals either by ensuring that the destination country has adequate data protection laws of its own, or by other means.
In addition to the aforementioned transfers to the EEA, personal data can also be transferred to countries that are covered by adequacy regulations (this also includes partial findings of adequacy).
Alternatively, other safeguards may provide suitable protection, such as binding corporate rules, standard contractual clauses (see below), contractual clauses agreed and authorised by the ICO, compliance with an approved code of conduct (e.g., one approved by the ICO), or certification under an approved certification mechanism. (Please note that this is a non-exhaustive list.)
This document addresses a number of scenarios and includes, as noted above, a reference to the various forms of Standard Contractual Clauses or “SCCs”, including the ICO’s IDTA.
It is important to note that SCCs, the IDTA included, are to be used in addition to this agreement, not instead of it. This document fulfils the requirements of Article 28(3) of the UK GDPR as a contract between a data controller and a data processor.
Data processing agreements are designed to carefully regulate the activities of data processors with respect to personal data, with a particular emphasis on their compliance with applicable data protection legislation, most notably, the UK GDPR. Key features required (and included in this template) include:
- Details of the subject matter, nature, purpose, and duration of the data processing;
- Details of the type(s) and categories of personal data and data subjects;
- Processors must act only on written instructions from controllers;
- Personnel processing personal data must be subject to obligations of confidence;
- The processing must take place securely, with suitable organisational and technical measures in place;
- Processors can only subcontract the processing of personal data with the consent of the controller, and only then under a written contract that imposes the same obligations on the subcontractor as are imposed on the processor by the main contract;
- Processors must assist controllers in fulfilling their obligations under data protection law, including those relating to secure processing, data breaches, impact assessments, and the exercise by data subjects of their rights under the UK GDPR;
- Personal data must be deleted (or otherwise disposed of) appropriately by processors at the end of the contract; and
- Processors must comply with audits and other inspections carried out by the controller in order to verify compliance with the law and with the contract.
Another important requirement which many processors must comply with relates to record-keeping. This is addressed in clause 13.2 of the template. Note, however, that the clause is optional (enclosed in square brackets). This is because the UK GDPR states that requirement applies only if the processor employs 250 people or more or (if fewer) if the processing is likely to result in a high risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special category personal data or personal data relating to criminal convictions or offences.
Notwithstanding the above exception concerning records, processors are still required to make available all information to controllers that is necessary to demonstrate compliance with the law. Keeping records may, therefore, be of value whether strictly required by the UK GDPR or not.
Further provisions in this Data Processing Agreement govern liability and indemnity and, in this case, have been written to strike a balance between the data controller and data processor.
Please note that transferring personal data to territories outside of the UK or EEA is a highly complex legal area. This template has been designed to assist in compliance with the UK’s data protection legislation when processing personal data in third countries, but obtaining legal advice is strongly recommended. The ICO also provides help and guidance for SMEs.
Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.
This Data Processing Agreement (UK and UK to EEA) contains the following clauses:
1. Definitions and Interpretation
2. Scope and Application of this Agreement
3. Provision of the Services and Processing Personal Data
4. The Data Processor’s Obligations
5. Confidentiality
6. Employees [and Data Protection Officer[s]]
7. Security of Processing
8. Data Subject Rights and Complaints
9. Personal Data Breaches
10. Cross-Border Transfers of Personal Data
11. Appointment of Subcontractors
12. Return and/or Deletion or Disposal of Personal Data
13. Information [and Records]
14. Audits
15. Warranties
16. Liability and Indemnity
17. Term and Termination
18. Notices
19. Law and Jurisdiction
and the following schedules:
1. Services
2. Personal Data
3. Technical and Organisational Data Protection Measures
4. Legal Basis for Processing Personal Data Outside the EEA
5. Standard Contractual Clauses [blank schedule for inserting completed IDTA or other appropriate SCCs]
This document is unlocked and in .doc format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.
Data Processing Agreement (UK to Non-EEA) is part of Business Documents. Just £35.00 + VAT provides unlimited downloads from Business Documents for 1 year.