Does My Contract Need Data Processing Clauses?

Where companies share personal information about individuals, strict legal rules apply. Understanding whether your contract needs mandatory data processing clauses as prescribed under the UK General Data Protection Regulation (UK GDPR) is vital. This determination is equally crucial for business suppliers and customers and can be relevant for various commercial agreements. This article will explore whether your contract needs data processing clauses and some key practical and commercial issues to consider if your agreement includes such clauses.  

Why Are Data Processing Clauses Vital?

The UK GDPR is the fundamental law governing the use of personal data in the UK. Under the UK GDPR rules, certain circumstances require a contract with data processing terms. 

Article 28 sets out essential terms that must be in place between a data controller and a data processor. These terms cover various duties, such as the processor only handling personal data as instructed by the controller, keeping data confidential, using appropriate security measures, managing the sharing of data with third-party processors, dealing with data subject rights, assisting the controller, and handling data at the end of the contract.

The core intention of these terms is to protect and keep personal data safe when it is shared between controllers and processors. 

These mandatory terms can be part of a services agreement or set in a separate document for data processing.

Data processing terms are fundamental – they are not discretionary for businesses. So, making sure these terms are in place is extremely important.

Do I Need Data Processing Clauses in My Contract?

Let us imagine your business is entering into a contract. Does it need data processing clauses?

It is paramount first to establish whether you operate as a data processor on behalf of its clients. Understanding the distinction between ‘data controller’ and ‘data processor’ is essential. 

Essentially: 

• a data controller is an organisation that determines how and why personal data may be used. Typically, this role falls to customers who grant suppliers access to their data to facilitate service delivery; and
• conversely, a data processor is restricted to using personal data solely by the controller’s instructions. For example, a customer may instruct that a supplier can only utilise their staff’s personal details for specific, limited purposes. For instance, to contact staff to provide IT support services under an IT services agreement but not use their data for other processes. 

To determine whether your contract needs to include data processing clauses, you must carefully assess your role in processing personal data and understand whether you are in a controller-to-processor relationship. 

If your business handles personal data on behalf of a customer (for instance, by processing customer information to deliver services), you are likely to act as a data processor. As such, you must enter data processing terms with your customers for UK GDPR compliance purposes. 

Data processing clauses will determine various rules and parameters around how you may use a customer’s personal data. For instance, how long you can use it, what the purposes of use are and when you should delete it. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

In everyday situations, such as where suppliers provide payroll support, offer IT assistance, or store data in the cloud, suppliers typically act as data processors and must ensure their agreements with controller customers include data processing clauses to comply with the UK GDPR.

What Are Some Key Tips for Ensuring Data Processing Clauses Are Compliant?

If your agreements need data processing clauses, you must ensure that such terms comply with the UK GDPR rules.

Here are some tips to help ensure compliance:

• ensure that you reference the correct laws in the terms. If you are a UK business subject to only UK laws, ensure your terms refer to the ‘UK’ GDPR; 
• ensure your contract includes all mandatory data processing terms as the UK GDPR requires. Key terms such as confidentiality, security, and following the controller’s instructions must be documented; 
• ensure your data processing terms accurately reflect how you intend to process personal data. For instance, if you will engage sub-processors or send personal data outside the UK, ensure your terms reflect this;
• make sure that your data processing terms correctly and precisely define the types of personal data you will process and why, including their duration and the nature and purposes of the processing; and
• ensure your data processing clauses are reviewed and updated to reflect your current data processing activities. 

What Should I Consider Commercially Around Data Processing Clauses?

Consider various points carefully when incorporating data processing clauses into your commercial contracts. 

Here are some key issues to consider:

• Your customers may seek to negotiate the data processing clauses, and their inclusion could increase your liability under your contracts. For instance, a customer may seek to push for unlimited liability, which they suffer due to your business breaching the data processing clauses. Customers may also request onerous and high-risk data protection indemnity compensation obligations. 

• Contract negotiations could take longer. This is because data processing clauses may lead savvy business customers to raise due diligence enquiries if your business processes personal data on their behalf. To be prepared for this, you should understand your role as a data processor and be ready to explain to your customers how you will use their data and safeguard it from risk.

• Customers may ask for details on your data security measures and any accreditations or security certifications you have. Having strong data security measures before negotiating customer contracts using their data is a good idea. 

If you need help navigating these issues and customer questions, you can seek advice from an experienced data protection lawyer. 

What Can Go Wrong if My Contracts Omit Data Processing Clauses Where Required?

If you need help understanding whether your contract needs data processing clauses, consult a data protection lawyer to guide you. 

Key Takeaways

Data processing clauses are vital and mandatory provisions in a controller-to-processor data-sharing relationship. If required, your contract must include data processing clauses so your business can comply with data protection laws if you are not entering into a standalone data processing agreement. Data processing clauses will help you safeguard personal data and build customer trust. These clauses will also help your business avoid significant harm, such as heavy fines and reputational damage. 

If you need advice on data processing clauses, you can contact LegalVision’s experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.