Personal Data Processing and Transfers

When one party (a controller) appoints another (a processor) to process personal data on its behalf, the law requires that such processing is covered by a written contract (or “other legal act”). Such a contract should clearly set out the obligations, rights, and liabilities of both parties and must comply with the requirements of the UK GDPR governing its content.

In the event that a processor sub-contracts some or all of the processing to another party, a further written contract must be in place between the processor and that sub-contractor or sub-processor.

What Must the Contract Include?

Firstly, the contract (or other legal act) must set out the details of the personal data processing, including:

• The subject matter of the processing
• The duration of the processing
• The nature and purpose of the processing
• The type(s) of personal data involved
• The category or categories of data subject involved
• The data controller’s obligations and rights

The contract or other legal act must also state that:

• The data processor shall act only on the data controller’s written instructions unless it is required by law to act without them.
• The data processor must ensure that people (e.g., its employees) processing the personal data are subject to a duty of confidence.
• The data processor must take suitable measures to ensure the security of the processing.
• If the data processor engages a sub-processor, it may only do so with the data controller’s authorisation and under a written contract.
• The data processor must take suitable measures to assist the data controller in responding to requests from data subjects to exercise their rights.
• The data processor must assist the data controller in meeting its obligations under the UK GDPR with respect to security, notifying breaches, and carrying out data protection impact assessments. These obligations should take account of the nature of the processing and the information available to the data processor.
• The data processor shall delete or return all personal data to the data controller at the end of the contract and the data processor must also delete existing personal data unless it is required by law to retain it.
• The data processor must submit to audits and inspections and must furnish the data controller with any information it needs to ensure that both parties are meeting their obligations under the UK GDPR.

Document Templates Available

We have a range of Data Processing Agreement templates available for data controllers based in the UK:

• Our Data Processing Agreement (UK) is designed for a scenario in which a UK data controller wishes to engage a UK data processor to process personal data only within the UK.
• Our Data Processing Agreement (UK and UK to EEA) is designed for situations in which a UK data controller wishes to engage a data processor who is located either in the UK or in an EEA country. While the UK is no longer part of the EU or EEA, transfers of personal data from the UK to EEA countries are permitted.

International Transfers of Personal Data

As noted above, personal data can continue to be transferred to EEA countries without restraint, but what about non-EEA countries? In many cases, additional rules apply because when personal data moves beyond the UK or EEA, it is no longer under the umbrella of the UK or EU GDPR. The rights of individuals therefore have to be protected using other means.

Some transfers are permitted under EU adequacy decisions or UK adequacy regulations. In such cases, the data protection framework of a particular country has been assessed and found to be adequate when measured against GDPR standards. EU adequacy decisions current as at 31 December 2020 are still valid in the UK (but will be kept under review by the UK Government). The UK can also now make its own adequacy regulations. Adequacy regulations in the UK can also include what are known as partial findings of adequacy. While adequacy regulations may apply to a country as a whole, a partial finding of adequacy may be more limited, focusing instead on specific organisations, frameworks or mechanisms, or on personal data covered by specific legislation. A significant example of this is the UK extension to the EU-US Data Privacy Framework, which allows personal data to be transferred to US organisations that have self-certified.

Another mechanism which can be used is Binding Corporate Rules. In simple terms, these apply within an international organisation and allow for transfers if both the sender and recipient have signed up to the rules. BCRs must be officially approved before they can be used and fall outside the scope of the content offered on this site.

Other options for “appropriate safeguards” include legally binding and enforceable instruments between public authorities or bodies, approved codes of conduct, certification under an approved certification scheme, or administrative arrangements between public authorities or bodies. There are also limited exceptions which may apply.

The main option, at least for the purposes of the contracts offered by Simply-Docs, however, is Standard Contractual Clauses.

Standard Contractual Clauses

The Standard Contractual Clauses or SCCs currently in use in the UK come in two forms from the Information Commissioner’s Office. First is the International Data Transfer Agreement and the second choice is the International Data Transfer Addendum to the current EU Commission SCCs. Documents of this kind are designed to be used alongside another agreement which complies with the data processing provisions of the UK GDPR, such as a Data Processing Agreement.

The benefit of SCCs is that they place contractual obligations upon the controller and processor (or exporter and importer, in this context) and create enforceable rights for data subjects. In essence, they fill the statutory void left by the absence of the (UK) GDPR with contractual provisions.

Document Templates Available

• Our Data Processing Agreement (UK to Non-EEA) is designed for use by a UK data controller who wishes to engage a data processor located outside the EEA to process personal data on its behalf. The main terms of the agreement are very similar to the UK to UK or EEA version of the agreement, but this version also incorporates a reference to the International Data Transfer Agreement, which should be completed and attached to this document.
• Our version of the ICO’s International Data Transfer Agreement is designed to be used with a Data Processing Agreement. Note that it is available on our site for convenience only and can be obtained free of charge from the ICO website.