Sharing and Processing Personal Data
When one party (a controller) appoints another (a processor) to process personal data on its behalf, the law requires that such processing is covered by a written contract (or “other legal act”). Such a contract should clearly set out the obligations, rights, and liabilities of both parties and must comply with the requirements of the UK GDPR governing its content.
In the event that a processor sub-contracts some or all of the processing to another party, a further written contract must be in place between the processor and that sub-contractor or sub-processor.
What Must the Contract Include?
Firstly, the contract (or other legal act) must set out the details of the personal data processing, including:
- The subject matter of the processing
- The duration of the processing
- The nature and purpose of the processing
- The type(s) of personal data involved
- The category or categories of data subject involved
- The data controller’s obligations and rights
The contract or other legal act must also state that:
- The data processor shall act only on the data controller’s written instructions unless it is required by law to act without them.
- The data processor must ensure that people (e.g., its employees) processing the personal data are subject to a duty of confidence.
- The data processor must take suitable measures to ensure the security of the processing.
- If the data processor engages a sub-processor, it may only do so with the data controller’s authorisation and under a written contract.
- The data processor must take suitable measures to assist the data controller in responding to requests from data subjects to exercise their rights.
- The data processor must assist the data controller in meeting its obligations under the UK GDPR with respect to security, notifying breaches, and carrying out data protection impact assessments. These obligations should take account of the nature of the processing and the information available to the data processor.
- The data processor shall delete or return all personal data to the data controller at the end of the contract and the data processor must also delete existing personal data unless it is required by law to retain it.
- The data processor must submit to audits and inspections and must furnish the data controller with any information it needs to ensure that both parties are meeting their obligations under the UK GDPR.
Document Templates Available
We have a range of Data Processing Agreement templates available for data controllers based in the UK:
- Our Data Processing Agreement (UK) is designed for a scenario in which a UK data controller wishes to engage a UK data processor to process personal data only within the UK.
- Our Data Processing Agreement (UK and UK to EEA) is designed for situations in which a UK data controller wishes to engage a data processor who is located either in the UK or in an EEA country. While the UK is no longer part of the EU or EEA, transfers of personal data from the UK to EEA countries are permitted.
International Transfers of Personal Data
As noted above, personal data can continue to be transferred to EEA countries without restraint, but what about non-EEA countries? In many cases, additional rules apply because when personal data moves beyond the UK or EEA, it is no longer under the umbrella of the UK or EU GDPR. The rights of individuals therefore have to be protected using other means.
Some transfers are permitted under EU adequacy decisions or UK adequacy regulations. In such cases, the data protection framework of a particular country has been assessed and found to be adequate when measured against GDPR standards. EU adequacy decisions current as at 31 December 2020 are still valid in the UK (but will be kept under review by the UK Government). The UK can also now make its own adequacy regulations.
Another mechanism which can be used is Binding Corporate Rules. In simple terms, these apply within an international organisation and allow for transfers if both the sender and recipient have signed up to the rules. BCRs must be officially approved before they can be used and fall outside the scope of the content offered on this site.
Other options for “appropriate safeguards” include legally binding and enforceable instruments between public authorities or bodies, approved codes of conduct, certification under an approved certification scheme, or administrative arrangements between public authorities or bodies. There are also limited exceptions which may apply.
The main option, at least for the purposes of the contracts offered by Simply-Docs, however, is Standard Contractual Clauses.
Standard Contractual Clauses
The Standard Contractual Clauses or SCCs currently in use in the UK are those current in the EU at the end of the Brexit transition period. The EU has since published new SCCs, but these will not apply to data transfers from the UK. Instead, the Information Commissioner’s Office will be publishing and consulting on its own new UK SCCs soon, reportedly in summer 2021.
The benefit of SCCs is that they place contractual obligations upon the controller and processor (or exporter and importer, in this context) and create enforceable rights for data subjects. In essence, they fill the statutory void left by the absence of the (UK) GDPR with contractual provisions.
At present, the SCCs in effect predate the GDPR. Consequently, they cannot be used on their own as they do not themselves satisfy all the criteria set out in the UK GDPR for a data processing contract. It is likely that the new UK SCCs will remove this problem. For now, however, SCCs are used in conjunction with a processing contract.
Document Template Available
- Our Data Processing Agreement (UK to Non-EEA) is designed for use by a UK data controller who wishes to engage a data processor located outside the EEA to process personal data on its behalf. The main terms of the agreement are very similar to the UK to UK or EEA version of the agreement, but this version also incorporates the SCCs. The legal effect of the SCCs cannot be changed, but the Information Commissioner’s Office has made available a version of the SCCs with minor alterations to its wording to make it fit properly in this new (temporary) context. This version has been used in this document.