A short guidance note explaining what agencies need to do to with their supplier contracts when acting as controllers of personal data. It contains links to: (i) a separate guidance note on Supplier Contracts; (ii) an Addendum containing template data processing contract clauses; and (iii) a template covering letter for agencies to use when sending the Addendum to their suppliers.
Under current data protection law, whenever a data controller uses a data processor it needs to have a written contract in place. Broadly speaking, under current data protection law, contracts with data processors must require that the data processor only acts upon the data controller’s instructions and implements appropriate data security measures.
The above requirements apply where your agency (acting as data controller) appoints suppliers (acting as data processors) who will process personal data on your agency’s behalf (such as IT service providers and outsourced payroll providers etc).
Under the GDPR, there are additional mandatory clauses concerning personal data which must be included in your agency’s contracts with your suppliers who will be processing personal data for you. The terms are much more detailed than required under current data protection law and are designed to ensure that processing carried out by a supplier meets all the requirements of the GDPR (not just those related to keeping personal data secure as is required under current data protection law).
The new requirements for data processor contracts mean that you will need to review, prioritise and amend your existing contracts with your agency’s suppliers to ensure those contracts contain all the required elements. Any relevant contracts in place on 25 May 2018 will need to meet the new GDPR requirements.
There are number of different ways this review process can be conducted and much will depend on the number and complexity of the different supplier contracts your agency has in place.
You should also review all template contracts used with new suppliers to ensure that the minimum GDPR requirements are included in contracts with your agency’s suppliers going forward.
The IPA has drafted some further guidance on Supplier Contracts for agencies. The Guidance sets out the recommended steps for you to take to assess, prioritise and amend your existing contracts with your agency’s suppliers in order to achieve a good level of compliance with the GDPR.
The IPA has also created a set of template data processing clauses in the form of an Addendum. The Addendum includes drafting notes to help you adjust the clauses to meet your agency’s requirements. The Addendum can be sent to your existing suppliers as described in the Supplier Guidance and also used when negotiating and drafting new supplier contracts. Please ensure you read the Supplier Guidance before using the Addendum as the Guidance contains important instructions on how to use the clauses contained in the Addendum.
There are various ways in which you can make contact with your suppliers in order to ensure appropriate GDPR compliant clauses are put in place. The Supplier Guidance includes suggestions as to how this process can be managed. To assist agencies further in this area, the IPA has also produced a suggested Covering Letter which can be used for the purpose of sending the Addendum to the supplier. Please ensure you read the Supplier Guidance before using the Covering Letter as the Guidance contains important instructions on how to use it.
Please note that the Supplier Guidance, the Addendum and the Covering Letter only apply to contracts between an IPA member agency and its supplier performing services for the agency. This guidance does not apply to client contracts between your agency and your own clients. For guidance regarding client contracts please see the Client Contracts section.