Table of Contents
A data processing agreement is a contract between a data controller and a data processor. The agreement establishes the legal framework in which the processor processes personal data on the controller’s behalf. A data processing agreement is a critical document for UK GDPR compliance. Often, suppliers present data processing agreements on their own standard terms, which are drafted heavily in their favour. This article will explore whether you should negotiate a data processing agreement as a data controller.
Do Businesses Need a Data Processing Agreement?
The UK GDPR sets stringent rules regarding sharing personal data with third parties. If you process any personal information, it will generally be either a data ‘controller’ or a data ‘processor’.
A data controller is a person or organisation that decides how and why to collect and use personal data. On the other hand, a data processor is a person or organisation that processes personal data on the controller’s behalf.
If a controller shares personal data with third-party suppliers who will process personal data, you will need a data processing agreement. This is because when a data controller uses a data processor, the parties must enter into a written agreement that establishes each party’s obligations under the UK GDPR.
Should I Negotiate a Data Processing Agreement I Receive From a Supplier?
If acting as data processors, suppliers are equally responsible for having in place data processing agreements. Often, suppliers will include data processing terms in:
- commercial services agreements; or
- separate agreement for customers to sign.
As a data controller, you must review any data processing agreement proposed by a supplier. You will need to ensure that the agreement:
- complies with the UK GDPR rules and includes various mandatory clauses; and
- is fit for purpose and tailored for your project, meaning you should check that the details of the data processing activities are clear and correct.
As part of this review, you should also check whether any terms are onerous or unfair. You can also use this time to negotiate certain terms to protect your best interests and prevent risks.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Terms in a Data Processing Agreement Should I Negotiate?
There are a lot of terms that are often negotiated in data processing agreements. The amount of negotiation required will depend on the types of personal data being processed and how risky the project is. For example, a very low-risk project involving personal data that is already in the public domain (such as work email addresses) may not require as much negotiation. However, a large-scale project involving the supplier processing sensitive or criminal offences data will carry much more risk and need further attention.
It is worth noting that some very large suppliers like Microsoft are unlikely to negotiate their data processing terms. If that is the case, you should carefully review and ensure you are comfortable with the terms before signing them. If you require support with understanding third-party data processing agreements, you can seek advice from an experienced data protection law solicitor.
Below are examples of some of the most common negotiation points in data processing agreements.
1. Request For Data Protection Indemnity
As part of data processing agreement negotiations, the allocation of liability is a crucial issue. Often, data controllers request indemnities. An indemnity is a contractual promise from a party (the indemnifying party) to compensate the other (the indemnified party) for a specific loss they suffer if a trigger event happens.
Often, data controllers will expect processors to indemnify them for any data protection law breaches that cause damage or loss. As such, data controllers can recover their losses from the processor for any damage suffered.
2. Specific Security Requirements
The UK GDPR requires that a controller should only use a processor that provides sufficient guarantees that it will implement appropriate technical and organisational measures. Data security is critical so that the controller can have assurance that the personal data they share will be kept secure.
As a customer, you may ask the processor to include detailed and specific security measures in your data processing agreement. Often, the parties will negotiate the types of security measures the processor is required to have in place during the contract term.
3. Requesting High Liability Provisions
Data processors often want to limit their liability under data processing agreements. This is particularly important, given the heavy fines you might face for breaching the UK GDPR.
Where a processor is working with multiple customers, liability will be a crucial concern. Often, processors seek to put a limit or ‘cap’ on the amount of money they will pay the controller customer if the customer brings a claim against them for breaching data protection laws.
However, as a controller, you should carefully review the processor’s limits on liability for breaching data protection laws. It is common for controllers to push for processors to accept much higher liability for data protection losses.
Generally, data processor suppliers are likely to reject requests for unlimited liability. Often, parties agree to a much higher cap on the supplier’s liability for data protection. For example, a multiple of the project charges the customer pays the supplier under the relevant agreement.
This factsheet sets out how your business can become GDPR compliant.
Key Takeaways
A data processing agreement is a vital document for data controllers and processors to enter into in order to comply with the UK GDPR. As a customer sharing personal data with a supplier acting as a processor, you should always carefully review data processing agreement terms. It is also sensible to negotiate data processing terms where possible, particularly where a supplier’s terms are onerous and one-sided. For example, you can request a supplier indemnity to protect your business from risk and recover any losses you suffer as a result of the supplier breaching data protection laws.
If you need help negotiating a data processing agreement, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.