How Does a Data Processor Ensure a Services Agreement Is GDPR Compliant? 

Suppliers of services often (although not always) act as data processors on behalf of their customers. A data processor is an organisation that processes personal data on behalf of a data controller. Where a supplier processes personal data on behalf of their customer, various stringent legal rules apply. In particular, the parties must enter mandatory data processing terms. This article will explore how to ensure that your services agreement is UK GDPR compliant if you act as a data processor. 

What Are Data Processing Terms?

Data processing terms are mandatory in certain circumstances under the General Data Protection Regulation (UK GDPR) law rules. The UK GDPR is the primary UK law governing rules on how organisations use personal data. 

Article 28 of the UK GDPR prescribes various mandatory terms that a data controller and data processor must enter into.

These terms include various obligations, including:

• the obligation for the processor to only process personal data on the controller’s instructions;
• duties to keep personal data confidential and adopt appropriate security measures when using it; 
• rules around sharing personal data with third-party sub-processors; and 
• provisions around dealing with data subject rights, assisting the data controller and what happens to personal data at the end of the contract. 

The key objective of these terms is to safeguard and protect personal data shared between controllers and processors. 

These terms can be set out in a services agreement or a standalone data processing agreement. 

Data processing terms are vital mandatory requirements and not optional for businesses. As such, the obligation to put data processing terms in place is fundamental. 

Are You a Data Processor?

From the outset, your supplier business must determine whether you act as a data processor on behalf of your clients. 

The key definitions to consider are ‘data controller’ and ‘data processor’. 

To summarise each role:

• the term data controller means an organisation that decides how and why to use personal data. Often, this will be a customer who gives a supplier access to their personal data to deliver the services; and
• in contrast, a data processor may only use personal data in accordance with the controller’s instructions. For instance, a customer may instruct that a supplier can only use their staff’s personal details to contact staff for limited purposes. 

You must determine whether you act as a data processor for each customer relationship and project. If so, the UK GDPR requires you to have a written contract in place to govern the data processing relationship. 

As a supplier, you should consider key questions, including:

• whether you will receive any personal data from your customer; and
• whether the customer will control your use of that data or if you will have any discretion over how to use the data. 

Suppose it turns out that you will have any elements of control over a customer’s personal data. In that case, it may be that you are, in fact, also a data controller, which means separate rules and data-sharing terms may be necessary. 

Determining whether you are a processor requires careful analysis. It will determine the contractual terms you need in place and other wider UK GDPR rules you need to comply with. 

Common Examples of Data Processing Relationships

A supplier can process personal data on behalf of a customer as a data processor in many ways.

Some common examples include:

• suppliers providing payroll support, using a customer’s staff details to run payroll only;
• IT support suppliers who receive staff contact details to answer their questions on IT and technology issues and problems with work software and equipment; or
• cloud storage or hosting providers who store customers’ personal data but do not use that data for their own purposes. 

In such cases, these suppliers must ensure their agreements with controller customers are UK GDPR compliant. 

How Can a Data Processor Ensure a Service Agreement Is GDPR Compliant?

If you have determined to act as a data processor, you must ensure that your customer agreements are UK GDPR compliant. 

Here are some critical steps to help you ensure compliance:

Make Sure Your Agreement Contains the Mandatory Data Processing Terms 

Assuming you will not enter into a standalone data processing agreement with your customers, you must ensure your services agreement is UK GDPR compliant. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

You should ensure that your services agreement contains all the mandatory terms required by Article 28 of the UK GDPR. 

As well as the mandatory legal terms, you should also seek to protect your business from risk. You can do so by including additional terms to protect your business. For instance, you may seek to include:

• a contractual promise from the customer stating that they have appropriate permissions or consent to transfer personal data to you; and
• an indemnity obligation on the customer, compensating your business on a pound-for-pound basis for any losses you may suffer because they breached their obligations under the data processing terms. 

Make Sure Your Agreement Specifically Defines the Data You Process 

Your data processing terms with your customer should not be generic. Your agreement needs to set out the following clearly:

• the subject matter of the data processing and how long you will process personal data; 
• the nature and purposes of your data processing; and
• the types of personal data you will process and which data subjects you will process personal data about. 

As such, you should carefully consider which types of personal data you will process for a customer’s project and tailor your agreement accordingly. This is particularly important if customers choose which types of personal data to share with your organisation and define different parameters for its use. One way to do this is to include a schedule in your services agreement, where you will set out the bespoke data processing details for each customer on a case-by-case basis. 

Data Processor Seeking Legal Advice

If you are using your own services agreement, you must carefully incorporate data processing terms into the agreement. For instance, data processing terms can be in a schedule or annex to your services agreement.

You must also consider how your data processing terms align with the rest of your agreement. For instance, the termination clause in your contract may need to reference what you will do with customer personal data at the end of your contract.

Some customers may request a standalone data processing agreement, separate from your services agreement. For instance, if the data you are processing on their behalf is extremely high-risk and warrants a separate contract with comprehensive provisions. 

In these circumstances, legal advice on your agreements can be invaluable. You can work with a data protection lawyer if you need support preparing a well-drafted UK GDPR-compliant services agreement. A data protection lawyer will help you draft a clear and robust agreement and add value by helping address customer queries and negotiations. 

A data protection lawyer can also help you understand when a separate data processing agreement may be required. They can also assist with the negotiation of these documents.

Key Takeaways

There are various steps to take to ensure your services agreement is UK GDPR compliant. You must carefully analyse whether you act as a data processor and if data processing terms are necessary. Additionally, you should ensure your agreement contains clear data processing terms which are UK GDPR compliant. You can also consider building in additional contractual protection to protect your business from risk. If you require support incorporating robust data processing terms in a services agreement, you can work with a data protection lawyer to support you.

If you need advice on a services agreement and ensuring it is UK GDPR compliant, you can contact LegalVision’s experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.