An agreement which can be used for data processors (i.e. suppliers/HR consultants acting as data processors) to confirm they are GDPR compliant.
Use this Data Processor Agreement…
To clarify and set out your expectations of your Data Processors, i.e. your suppliers; people or organisations who process personal data on your behalf, for example the organisation who undertakes your payroll (if you outsource it), or if you lease part of a building, and the building has CCTV and a visitors’ book, then Company managing the building.
As a reminder you are the Data Controller i.e. the person or organisation who handles the personal data and makes decisions about how to process it.
Under the GDPR Data Processors have obligations to:
- Maintain a written record of processing activities carried out on behalf of each Controller
- Designate a Data Protection Officer if required
- Appoint a representative if they are not established in the EU and conduct processing of EU date subjects
- Notify the controller on becoming aware of a personal data breach without delay.
In addition, the ICO have quite a comprehensive list of clauses they recommend including in your agreements/contracts with Data Processors.
There are various ways you can ensure that your Data Processors are complying with the GDPR, you can use contractual documentation, checklists, surveys, Agreements and so on. This Agreement provides one solution for you to adapt for your own purposes and send to your Data Processors to ensure that you have set out your expectations and that the Data Processors are clear about their obligations in respect of Data Protection.
What the Data Processor Agreement covers…
- The nature of the services the Data Processor provides
- That the data processor will only process personal data when authorised by the Data Controller
- That the Data Processor will maintain confidentiality
- The security measures the Data Processor has in place
- How the Data Processor will manage subject access requests
- How the Data Process will manage and communicate data breaches
- Whether the Data Processor will transfer data outside the EEA
- Details of the Data Protection Officer the Data Processor has appointed
- Return/deletion of data upon termination of the Data Processor’s services.
Ask us for further support…
- If you are unsure when or how you should use this Agreement.
- If you would like support adapting this Agreement for your own use.