A short guidance note explaining issues for agencies to consider with regard to their client contracts when acting as processors of personal data on behalf of their clients.

What does the law require?

As mentioned in the Supplier Contracts section of the IPA GDPR Top Ten Practical Steps Guidance, the GDPR requires additional mandatory clauses concerning personal data to be included in contracts between data controllers and data processors. This requirement will also apply where agencies (acting as data processors) are appointed by clients (acting as data controllers) to process personal data on the client’s behalf (such as when an agency runs a direct marketing campaign for a client).

Under current data protection law, only the data controller (i.e. the client) is directly responsible for complying with the legal requirements. However, the GDPR gives data processors (i.e. agencies) responsibilities and liabilities in their own right when processing personal data solely for a client. In this situation, agencies as well as clients may now also be liable to pay damages or be subject to fines or other penalties.

What do you actually need to do?

The new requirements for data processor contracts mean that clients are also likely to be in the process of reviewing their existing contracts with agencies to ensure those contracts contain all the required elements.

Given the introduction of direct regulatory liability for agencies when they act as processors as well as controllers, it is equally important for agencies to ensure that their contracts with clients include appropriate data protection clauses. Any client contracts in place on 25 May 2018 will need to meet the new GDPR requirements.

Agencies will therefore need to review their client contracts and determine what changes need to be made. There are a number of different ways this review process may occur, and much will depend on the type of client, the nature of the services being performed, and the extent to which those services involve the processing of personal data by the agency for the client.

It is also important that agencies ensure that their contracts with new clients include appropriate data protection clauses going forward.

How can the IPA help?

As most agencies are aware, since 1998 the IPA and ISBA have made available suggested model terms for client/agency relationships. The most recent version of the model terms for client agency appointments for general creative-type services (not media buying) were launched in 2015 and are available here.

The 2015 version of the model creative agency contract includes a relatively short-form data protection clause to achieve a reasonable level of compliance with current data protection law. However, given the new requirements for contracts under the GDPR, the suggested data protection clause in the model contract will need to be reviewed.

The IPA has commenced discussions with ISBA regarding the most effective approach to make the necessary changes to the data protection clause in the model contract in a way which is reasonable and appropriate for both clients and agencies. We will provide agencies with an update on this in due course.

It is important to note that the Addendum referred to in the Supplier Contracts section of the IPA GDPR Top Ten Practical Steps Guidance, only applies to contracts between an IPA member agency and its supplier performing services for the agency. The data protection clauses in the Addendum are very “customer friendly” and as such should not be used by your agency for your client contracts where your agency is the supplier and your client is the customer.

Last updated 01 May 2024