This is a Data Processor Agreement dated the << >> day of << >> 2016
<<Name of Data Controller>> [a private company incorporated in England with limited liability under registered number <<Insert Number>> whose registered office address is at] OR [of] <<Insert Address>> (the “Data Controller”);
<<Name of Data Processor>> [a private company incorporated in England with limited liability under registered number <<Insert Number>> whose registered office is at] OR [of] <<Insert Address>> (the “Data Processor”)
- [Under a written agreement between the Data Controller and the Data Processor dated <<Insert Date>> (“the Services Agreement”) the Data Processor provides to the Data Controller] OR [The Data Controller from time to time engages the Data Processor to provide to the Data Controller] the Services described in Clause 1.5 and Schedule 1.
- The provision of the Services by the Data Processor involves it in processing Personal Data on behalf of the Data Controller.
- Under the Data Protection Act 1998 (Schedule 1, Part 2, paragraph 12), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organisation which processes Personal Data on its behalf governing the processing of that data.
- The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the Data Protection Act 1998 in relation to all processing of Personal Data by the Data Processor for the Data Controller.
- The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.
The terms and expressions set out in this Agreement shall have the following meanings:
- “Act” means the Data Protection Act 1998;
- “Data Controller”, “Data Processor”, “processing” and “data subject” shall have the meanings given to them in the Act;
- “ICO” means the Information Commissioner’s Office;
- “Personal Data” means all such “personal data” as defined in the Act as is, or is to be, processed by the Data Processor on behalf of the Data Controller;
- “Services” means those [services] [and] [or] [facilities] described in Schedule 1 which are provided by the Data Processor to the Data Controller and which the Data Controller uses for the purpose[s] described in Schedule 1; and
- “Security Measures” means the security measures set out in Schedule 2.
IT IS AGREED as follows:
- The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards. The terms of this Agreement supersede any other arrangement, understanding or agreement [including the Services Agreement] made between the parties at any time relating to protection of Personal Data.
- The Data Processor is only to carry out the Services, and only to process Personal Data received from the Data Controller:
- for the purposes of those Services and not for any other purpose;
- to the extent andin such manner as is necessary for those purposes; and
- strictly in accordance with the express authorization and instructions of designated contacts at the Data Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor).
- The Data Processor shall promptly comply with any request from the Company requiring theData Processor to amend, transfer or delete the Personal Data.
- The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times and in compliance with the requirements notified in writing by the Data Controller to the Data Processor from time to time.
- The Data Processor shall comply at all times with the Act and shall not perform its obligations under this Agreement or any other agreement or arrangement with the Data Controller in such way as to cause the Data Controller to breach any of its applicable obligations under the Act.
- The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with all applicable legislation from time to time in force and any best practice guidance issued by the ICO.
- Where the Data Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Data Controller it shall:
- not process the Personal Data outside the United Kingdom without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer, to comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Act by providing an adequate level of protection to any Personal Data that is transferred;
- not transfer any of the Personal Data provided to it by the Data Controller to any third party without the written consent of the Data Controller;
- process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as is required by law or any regulatory body including but not limited to the ICO;
- implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested from the Data Controller;
- in furtherance of its obligations under 8.4 above implement and maintain the Security Measures;
- if so requested by the Data Controller (and within the timescales required by the Data Controller) supply details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorized access;
- on [at least <<Insert Number>> days’] OR [reasonable] prior notice, permit persons authorised by the Data Controller to enter into any premises on which the Personal Data provided by the Data Controller to the Data Processor is processed and to inspect the Data Processor’s facilities, equipment, documents andelectronic data relating to the processing of the Personal Data. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement;
- notify the Data Controller (within two working days) if it receives:
- a request from a data subject to have access to that person’s Personal Data; or
- a complaint or request relating to the Data Controller’s obligations under the Act;
- provide the Data Controller with full co-operation and assistance in relation to any complaint or request made, including by:
- providing the Data Controller with full details of the complaint or request;
- complying with a data access request within the relevant timescale set out in the Act and in accordance with the Data Controller’s instructions;
- providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller);
- providing the Data Controller with any information requested by the Data Controller;
- notify the Company immediately if it becomes aware of:
- any unauthorised or unlawful processing, loss of, damage to or destruction of any of the Personal Data; or
- any advance in technology andmethods of working which mean that the Data Controller should revise the security measures set out in Schedule 2.
- The Data Processor shall be liable for and shall indemnify (and keep indemnified) the Data Controller against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demand incurred by the Data Controller which arise directly or in connection with the Data Processor’s data processing activities which are subject this Agreement.
- The Data Processor agrees that in the event that it is notified by the Data Controller that it is not required to provide any further Services to the Data Controller [under the Services Agreement], the Data Processor shall transfer a copy of all information (including the Personal Data) held by it which is subject to this Agreement to the Data Controller in a format chosen by the Data Controller and/or, at the Data Controller’s request, destroy all such information using a secure method which ensures that it cannot be accessed by any third party and shall issue the Data Controller with a written confirmation of secure disposal.
- All copyright, database right and other intellectual property rights in any Personal Data processed which is subject to this Agreement (including but not limited to any updates, amendments or adaptations to the Personal Data by either the Data Controller or the Data Processor) shall belong to the Data Controller. The Data Processor is licensed to use such Personal Data under such rights only for the term of, for the purposes of the Services, and in accordance with this Agreement.
- The Data Processor shall maintain the Personal Data processed by the Data Processor on behalf of the Data Controller in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller. The above obligations in this Clause 12 shall continue for a period of five years after the cessation of the provision of Services by the Data Processor to the Data Controller. Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed by the ICO or a court. Both parties shall however, where possible, discuss together the appropriate response to any request from the ICO or court for disclosure of information.
- The Data Processor shall not sub-contract to any third party any of its rights or obligations under this Agreement [without the prior written consent of the Data Controller. Where the Data Processor, with the written consent of the Data Controller, does sub-contract, it shall do so only by way of a written sub-processing agreement with the subcontractor which imposes the same obligations on the subcontractor as are imposed on the Data Processor under this Agreement and which permits both the Data Processor and the Data Controller to enforce those obligations. For the avoidance of doubt, where the sub-contractor does not meet its obligations under any sub-processing agreement, the Data Processor shall remain fully liable to the Data Controller for meeting its obligations under this Agreement].
- The Data Processor accepts the obligations in this Agreement in consideration of the payment of £1 from the Data Controller which the Data Processor hereby acknowledges.
- This Agreement shall continue in full force and effect for so long as the Data Processor is processing Personal Data on behalf of the Data Controller, and thereafter as provided in Clause 12.
- This Agreement shall be governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
The “Services” referred to in Sub-Clause 1.5 means <<Describe the Services and/or Facilities>>
The Data Controller uses the Services for the following purpose[s]: <<Insert Description of Purpose(s), E.g. Administering the Data Controller’s Business and/or Providing the Data Controller’s Products and Services to its Customers>>.
The following are the Security Measures referred to in Sub-Clauses 1.6 and 8.5:
- The Data Processor will ensure that in respect of all Personal Data it receives from or processes on behalf of the Data Controller it maintains security measures to a standard appropriate to:
- the harm that might result from unlawful or unauthorised processing or accidental loss, damage or destruction of the Personal Data; and
- the nature of the Personal Data.
- In particular the Data Processor shall:
- have in place and comply with a security policy which:
- defines security needs based on a risk assessment;
- allocates responsibility for implementing the policy to a specific individual or members of a team;
- is provided to the Data Controller on or before the commencement of this Agreement;
- is disseminated to all relevant staff; and
- provides a mechanism for feedback and review.
- ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
- prevent unauthorised access to the Personal Data;
- ensure its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
- have secure methods in place for the transfer of Personal Data whether in physical form (for instance, by using couriers rather than post) or electronic form (for instance, by using encryption);
- put password protection on computer systems on which Personal Data is stored and ensure that only authorised personnel are given details of the password;
- take reasonable steps to ensure the reliability of employees or other individuals who have access to the Personal Data;
- ensure that any employees or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Agreement;
- ensure that none of the employees or other individuals who have access to the Personal Data publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Data Controller;
- have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of Personal Data) including:
- the ability to identify which individuals have worked with specific Personal Data;
- having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the Act; and
- notifying the Data Controller as soon as any such security breach occurs.
- have a secure procedure for backing up and storing back-ups separately from originals;
- have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print outs and redundant equipment; and
- adopt such organisational, operational and technological processes and procedures as are required to comply with the requirements of ISO/IEC 27001:2013 as appropriate to the Services provided to the Data Controller.
SIGNED for and on behalf of
<<Name of Data Controller>>
[Print name of person signing on behalf of the Data Controller]
SIGNED for and on behalf of
<<Name of Data Processor>>
[Print name of person signing on behalf of the Data Processor]