New Data Sharing and Data Processing Provisions and More

July 2018

Confidentiality Agreements, also known as Non-Disclosure Agreements, are a valuable addition to the business toolbox. Protecting the secrecy of valuable business information when dealing with a third party is of great importance. In some cases, this is achieved through a confidentiality clause in another contract; however in some cases – particularly if more detail is desirable – a dedicated agreement is preferred.

Data Protection Updates

In addition to general best practice updates and improvements to our core Non-Disclosure Agreements, we have added new data protection provisions dealing with (in most cases) data sharing and data processing, designed for use in situations where the confidential information to be disclosed includes personal data.

We have taken a broad approach when it comes to defining “data protection legislation”. Our definition is broad and has been designed to ensure a smooth transition from the GDPR to the Data Protection Act 2018. It also guards against the possibility of an uncertain Brexit transition by retaining the applicability of the GDPR until such time as it no longer has legal effect in the UK. As it applies to this situation, the purpose of the DPA 2018 is primarily to incorporate the GDPR’s provisions into UK law, so definitions and the overall effect are likely to remain unchanged. If this position changes in the future, our information and documents will be updated accordingly.

As noted above, two new options are included (in all but the pre-project agreement which includes only a data sharing clause due to its purpose). The first is a controller-to-controller data sharing clause; the second is a controller-to-processor data processing clause (wherein the party receiving the confidential information processes personal data on behalf of the disclosing party).

Each new clause clearly sets out the respective obligations of the parties, including important requirements such as the establishment of appropriate technical and organisational measures to protect the personal data being shared or processed. Optional restrictions have also been incorporated with respect to further transfers of the personal data and non-EEA transfers. In each clause, mutual indemnity provisions ensure that either party to the agreement will indemnify the other for harm resulting from the indemnifying party’s breach of the data protection legislation.

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.

Top