DPA 2018 and GDPR Compliant Data Processing Schedule
(Short-Form) (Pro-Controller)
Summary
This template is drafted in contemplation of arrangements where the parties wish to insert data processing provisions within a Schedule rather than as clauses in the main body of the agreement, for example due to the length of legally compliant provisions. This template includes practical guidance, drafting notes, and alternate and optional clauses. This template uses the defined terms "Agreement", "Business Day", "Customer", "Services", "Supplier" and "Supplier Personnel", which are not specific to data processing and which it is assumed are separately defined in the relevant agreement. The parties should include appropriate data protection provisions depending on the processing each party will undertake and applicable law. This template schedule is drafted from the controller's perspective and sets out the essential requirements in short form under UK data protection law that need to be addressed when a controller is engaging a processor to process personal data on the controller's behalf—for guidance on the meaning of controller/processor see below. These provisions primarily address the law as applicable in England and Wales. The terms "supplier" and "customer" (instead of "processor" or "controller" respectively) have been used to make this schedule easier to integrate into commercial agreements, on the assumption that this schedule will usually be used where a supplier will act as a processor of personal data for a customer. In relation to the contract provisions required, there are significant similarities between: • The EU's General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) regime (which was applicable under UK law until the end of the Brexit implementation period at 11 pm UK time on 31 December 2020 and remains applicable in EEA states) –and– • The United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) regime (applicable under UK law from the end of the Brexit implementation period on 31 December 2020) Assimilated law is the name given to retained EU law ('REUL') which remains in force after the end of 2023. The re-categorisation of REUL (and associated terms) to assimilated law reflects a change in its status and treatment under UK law, in that it is generally to be interpreted according to ordinary domestic law and principles. From 1 January 2024, REUL is 'assimilated' into domestic law by virtue of the fact it is generally stripped of EU-derived interpretive effects (e.g., supremacy of EU law, directly effective rights, and general principles previously retained under EU(W)A 2018). For more information, see Practice Note: Assimilated law and News Analysis: Implications of the move to 'assimilated' law, and the Retained EU Law (Revocation and Reform) Act 2023, for data protection lawyers. While this template focuses on the position under UK law, to assist those who may be tasked with drafting arrangements under the EU GDPR it refers to both regimes in these drafting notes as "the GDPR regimes" for convenience and includes references to equivalent provisions of the EU GDPR. The Data Protection Act 2018 (DPA 2018) implements a limited number of additional provisions into UK data protection law in connection and regard should be had to the provisions of DPA 2018 in so far as relevant to the specific arrangements. Controller and Processor Relationships It is vital that natural persons and organisations involved in the sharing or other processing of personal data understand and identify their roles (e.g., processor, independent controller or joint controller) under data protection law. The role each party plays will establish the obligations of each party at law and allows the parties to identify the contractual and other risk mitigation steps they should take. Data protection law distinguishes between controllers and processors. In the context of services agreements, the customer will generally be a controller and the supplier a processor. Data protection law places legal obligations on processors (as well as controllers) to comply with a number of requirements in relation to the manner in which they process personal data. It is necessary for controllers and processors to enter into a written agreement that contains certain minimum provisions. Both processors and controllers are potentially liable for significant fines for noncompliance with data protection law. Putting in place clear and robust contractual provisions to govern processing of personal data is only one piece of the data protection compliance jigsaw where controllers enter into arrangements with processors. These will sit alongside other processes such as: • Detailed pre-contract due diligence • In-life compliance, risk and mitigations and improvements analysis • Other compliance steps to be taken by businesses Alternative Provisions In the interests of brevity, these short form provisions generally offer less protection to the customer than the longer form versions, but are generally drafted based upon the same assumptions and to address the same situations, except that the longer form version assumes: • There will be some sub-processing • Special categories of personal data may be processed Assumptions These template provisions have been drafted on the following basis: • A single controller is involved in the processing (e.g., the supplier is processing personal data only on behalf of the customer, and not on behalf of any affiliates or third parties) and the customer is acting as a controller and the supplier is acting as a processor • Neither party is a public electronic communications service provider (such as a telecommunications company or internet service provider) • Neither party is subject to sector specific regulation (e.g., financial services) • No data subjects are children or otherwise subject to additional protections under relevant data protection law • The services are capable of some individualisation to address varying levels of risk associated with particular processing and there is reasonable scope for negotiation (as opposed to a commoditised cloud services offering, for example) • No special category personal data (or data relating to criminal convictions and offences) is being processed–if "special categories of personal data" (or data relating to criminal convictions and offences or related security measures) are being processed, additional protections will need to be included. In the case of special category personal data, Part B should contain a further heading "special categories of personal data" and specify which types of special category personal data are concerned (e.g., "information regarding health records," or "information as to whether the data subject is a member of a trade union"). Other amendments may also be appropriate depending on the circumstances— for example additional security may be appropriate for special category personal data. • Not public sector—it is assumed neither party is part of the local government or public sector. • Controller and processor are both established in the UK—it is assumed that both parties are based and established in the UK • No international transfers and personal data not subject to any data protection law outside the UK—it is assumed that the processing of personal data is solely subject to UK law (e.g., has been collected in the UK and solely relates to UK data subjects) and that there will be no transfers of the personal data outside of the UK or to an international organisation • None of the personal data is subject to the special "Frozen GDPR" regime and the parties do not wish to include any additional provisions to address the possibility that the UK may be obliged to impose different obligations on the processing of certain personal data subject to Article 71 of the EU-UK Withdrawal Agreement at some point in the future—see the guidance on Article 71 protected data below • No representative—neither the customer nor the supplier is acting as or through an appointed representative • No profiling or automated decision-making is being carried out as part of the data processing activities • Ownership of data—it is assumed that there is a separate clause (e.g., in the main body of the agreement) addressing ownership of customer data (possibly as part of the intellectual property clauses), which would generally include a limited licence to the supplier to use this for the purpose of performing the services • No data back-up—it is assumed that the processor is not providing data back-up services • There is no high risk processing and no data protection impact assessment (DPIA) is required—for example processing involving: (a) new technologies; and/or (b) a high risk to the rights and freedoms of natural persons (taking account of the nature, scope, context and purpose) • Changes in law—these template provisions assume the supplier will comply (at its own cost) with changes in law from time to time as required to comply with the agreement • Supplier is not collecting personal data on behalf of the customer—if that is the case then the customer should ensure additional detailed instructions are provided as to what information should be collected from which individuals and ensure that additional obligations are imposed on the supplier to ensure the collection is undertaken in a lawful manner, that such data is accurate and up to date, that any necessary consents are obtained and that all necessary transparency information is provided to data subjects. If the supplier is not subject to sufficiently detailed instructions it may be a joint controller rather than a processor. Guidance UK data protection law is a complex and principles-based regime, the text of which lacks clarity in a number of areas and upon which there is currently limited guidance from regulators. Consequently, relevant regulators and/or courts may ultimately reach different views as to the interpretation of the regime to those set out in this template. Specialist advice should be sought when tailoring these provisions for a particular scenario. We will update these template provisions based on evolving guidance. Guidance has been issued by the UK's Information Commissioner's Office (ICO), as well as by European Data Protection Board (EDPB) under the EU GDPR (which is likely to remain highly influential in the UK under the UK GDPR given its similarities with the EU GDPR). Conflicts within the Agreement The order of precedence of this schedule as against other parts of the agreement needs to be considered. Given the importance of data protection obligations, although the parties may find it more convenient, given the extensive nature of such provisions, to include them in a separate schedule, it will generally be appropriate to ensure that this schedule ranks at least equally with the clauses in the main body of the agreement in the order of priority and provisions to achieve that should be included in the main body of the agreement. Article 71 Protected Data To the extent the UK does not have an adequacy decision granted by the EU from time to time, Article 71 of the EU-UK Withdrawal Agreement imposes specific obligations on the UK regarding personal data relating to data subjects outside the UK that was processed in the UK prior to 1 January 2021 or that is processed on the basis of the EU-UK Withdrawal Agreement (Article 71 protected data). To the broad UK adequacy decision granted by the EU, those provisions are unlikely to be relevant at present. However, personal data transferred for UK immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control under paragraph 4(1) of Schedule 2 to the DPA 2018 is outside the scope of that adequacy decision. Therefore, such immigration control data that is Article 71 protected data may still be subject to a special "Frozen GDPR" regime further to requirements of Article 71. Such data is uncommon, but appropriate amendments to this template should be considered where relevant. To the extent the UK loses its adequacy decision in the future, Article 71 would oblige the UK to ensure all Article 71 protected data (not just immigration control related data) is protected to a level "essentially equivalent" to the Frozen GDPR. Organisations could therefore consider putting in place arrangements to address the risk that the UK loses its adequacy decision resulting in Article 71 protected data having to be treated differently to other personal data under UK data protection laws. However, processors are generally likely to resist such speculative obligations and the implications of Article 71 generally applying at some future date is likely to be difficult to predict or, at least in part, be addressed by general contractual provisions in any event (e.g., a broad definition of "Data Protection Laws" and/or change control provisions). The UK government and/or courts may also take the view that UK law is 'essentially equivalent' to the Frozen GDPR (even if the EU disagrees). Therefore this template assumes the parties will not seek to agree further arrangements to address that theoretical possibility. Interaction with Other Provisions of the Agreement Consider how these template provisions fit within the agreement they are being inserted into and amend the provisions as appropriate. For example, consider: • The limitation of liability clause to ensure that the liability exposure of each party is appropriate and reasonable given the nature of the services being performed • That the contract price appropriately reflects the level of risk being assumed by the supplier • The extent to which breach of any provision of this Schedule gives rise to specific termination rights • How changes of law apply in the context of the agreement and any conflict with interpretive provisions (e.g., those which set out whether references to law are a reference to law as amended from time to time or at the date of the agreement) • How these template provisions may interact with any general warranty or indemnity or similar provisions included elsewhere in the agreement • How these template provisions may interact with any security or confidentiality provisions included elsewhere in the agreement • Whether additional warranties would be appropriate • It is assumed that the agreement into which this template is inserted will include: • General interpretation provisions substantially similar to those listed in clauses 1.2.1 to 1.2.7 of the Boilerplate set (short form) (with a reference to legislation meaning legislation as amended, extended, re-enacted, or consolidated from time to time.) • A provision specifying that no variation of the agreement shall be valid or effective unless it is in writing and is duly entered into by the parties This schedule refers to various documents having to be "written" or "in writing." The parties should consider whether the agreement into which this schedule is inserted includes an appropriate interpretation provision setting out the meaning of those terms (to confirm, for example, whether emails or other electronic forms can be utilised). If the interpretation to be given to "writing" is generally narrow it may be appropriate to amend some references to things being "written" to an alternative term (such as "documented") that the relevant agreement provides has a broader meaning. Consider any potential conflicts, for example with the general notice clause.