Creative Services Framework Agreement – data protection update

A useful tool for agencies and advertisers to use when starting a new business relationship

As the business landscape changes, so too must the joint ISBA/IPA Client/Agency model terms – Creative Services Framework Agreement (CSFA) - a useful tool for agencies and advertisers to use when starting a new business relationship.

There have been several iterations of the CSFA over the years, with the most recent launched in May 2018 when the GDPR came into force and new data processing clauses were inserted. With the EU GDPR having now had several years to bed-in, regulatory guidance and best practice for data processing clauses has moved on. For these reasons (and as a result of Brexit and the introduction of the UK GDPR), the IPA and ISBA, with the advice of law firm, Lewis Silkin, agreed that these standard data processing clauses needed updating.

Rather than create another short-form and long-form set of clauses (as previously), we have now created just one, comprehensive set for use whenever an agency is going to be processing personal data on behalf of a controller client. The rationale is that either client personal data will be processed by its agency, in which case the single set of clauses should be used, or it won’t, in which case no clauses are necessary (other than a brief explanation to that effect).

We have, therefore, created a detailed document for our members which contains explanatory guidance, followed by three annexes. The first annex contains clauses to be included in the body of the CSFA (including an option for an explanation as to why no detailed data processing clauses are necessary). The second two annexes contain the single set of clauses themselves, in alternative formats. We have also updated the current CSFA templates for ease of use by agencies and clients, with redlined pdfs showing the changes to the previous version and clean Word versions. All of these documents are available to members on the IPA and ISBA websites.

Says Richard Lindsay, Director of Legal & Public Affairs, IPA: "Much has changed in the world of data protection since the arrival of the GDPR. The ICO has been busy producing guidance and Brexit and the introduction of the ‘UK’ GDPR meant that changes to the old clauses added to the CSFA in 2018 were necessary, including to some terminology. We and ISBA, therefore, agreed, on the advice of Lewis Silkin, that where agencies will be processing any client personal data, regardless as to volume or regularity, the parties ought to use one set of comprehensive clauses to ensure that they comply with the law, rather than opt for a short-form version where processing will take place but may not be central to the services to be provided by the Agency. I would like to thank Mark Hersey, Bryony Long and Mithila Gupte of Lewis Silkin for their advice and help with drafting the new clauses and updating the CSFAs."

Andrew Lowdon, ISBA Director of Agency Services, said: "This collaboration between ISBA and the IPA, working with Lewis Silkin, has produced a set of data protection clauses that we hope will be simpler for advertisers and their agencies to use in their Creative Services Framework Agreements. Instead of having to choose between a short-form or long-form set of clauses, there is now only one set. The clauses not only include updated terminology which was necessary following Brexit, but also, we believe, reflect the ICO’s interpretation of the law. I would also like to thank Lewis Silkin for their hard work on this project."

The documents are available for IPA members to download
Last updated 17 April 2024