Data Processing Agreement Template
13 Jun 2011
Precedent Data Processing Contract
This Supplementary Agreement ("Agreement") dated _______ 201[ ] is between:
(1) [ ] of [ ] ("the Data Controller) and
(2) [ ] of [ ] ("the Data Processor")
Whereas:
(A) This Agreement is supplemental to any other separate agreement entered into between the parties and introduces further contractual provisions to ensure the protection and security of data passed from the Data Controller to the Data Processor for processing.
(B) Paragraphs 11 and 12 of part II of Schedule 1 of the Data Protection Act 1998 place certain obligations upon a Data Controller to ensure that any data processor it engages provides sufficient guarantees to ensure that the processing of the data carried out on its behalf is secure.
(C) This Agreement exists to ensure that there are sufficient security guarantees in place and that the processing complies with obligations equivalent to those of the 7th Data Protection Principle.
(D) The Data Controller is acting as a data processor for (name of organisation). It is only acting as a Data Controller for the purpose of the transfer of data passed from it to the Data Processor for processing under the terms of this Agreement
Definitions
"Data" shall mean []
"Processing" shall mean any operation or set of operations which is/are performed upon personal data, (whether or not by automatic means) including collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Such processing may be wholly or partly by automatic means or processing otherwise than by automatic means of personal data which form part of a filing system or one intended to form part of a filing system. A filing system shall mean any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis."
Application
1 Subject to clause 5(b) this Agreement shall apply to all Data sent from the date of this Agreement by the Data Controller to the Data Processor until either party gives one month's written notice of termination.
Purpose of Processing
2 The Data Processor shall process the Data it receives from the Data Controller solely for [] and for no other purpose except with the express written consent of the Data Controller.
Security and Confidentiality of Data
3 (a) The Data Processor shall use its best endeavours to safeguard the Data from unauthorised or unlawful processing or accidental loss, destruction or damage and acknowledges that it has implemented the technical and organisational measures specified in Schedule A to prevent unauthorised or unlawful processing or accidental loss or destruction of the Data.
3 (b) The Data Processor shall ensure that each of its employees, agents or subcontractors are made aware of its obligations with regard to the security and protection of the Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this Agreement.
3 (c) The Data Processor shall not divulge the Data whether directly or indirectly to any person, firm or company without the express consent of the Data Controller except to those of its employees, agents and subcontractors who are engaged in the processing of the Data and are subject to the binding obligations referred to in 3(b).
3 (d) The Data Processor shall ensure by written contract that any agent or subcontractor employed by the Data Processor to process Data to which this Agreement relates also provides the Data Processor with a plan of the technical and organisational means it has adopted to prevent unauthorised or unlawful processing or accidental loss or destruction of the Data and confirms to the Data Processor the implementation of those means.
Liability
4 The Data Processor's liability to the Data Controller for any loss or damage of whatsoever nature suffered or incurred by the data controller or for any liability of the Data Controller to any other person for any loss or damage of whatsoever nature suffered or incurred by that person shall to the extent permitted by law not exceed [£x].
Termination
5(a) Subject to clause 5(b) either Party may terminate this Agreement upon giving one month's prior written notice to the other. Upon receipt of written notice from the Data Controller or upon giving written notice of termination to the Data Controller, the Data Processor shall return any Data received from the Data Controller to the Data Controller forthwith.
5(b) Notwithstanding termination the provisions of clause 3 shall survive the termination of this Agreement and shall continue in full force and effect until all Data are returned to the Data Controller.
Assignment
6 This Agreement shall not be transferred or assigned by either party except with the prior written consent of the other.
Jurisdiction
7 This Agreement shall be governed by and construed in accordance with the law of England and Wales and the parties shall submit to the exclusive jurisdiction of the Courts of England and Wales.
IN WITNESS WHEREOF, each of the Parties hereto has caused the Agreement to be executed by its duly authorised representative.
Signed for and on behalf of [insert full name of Data Controller]
[Name of person signing the Agreement]
[Position of person signing the Agreement]
[Date of signature]
Signed for and on behalf of [insert full name of Data Processor]
[Name of person signing the Agreement]
[Position of person signing the Agreement]
[Date of signature]
SCHEDULE A
[Insert details of organisational and technical measures taken by the Data Processor to keep data secure and confidential. Please refer to the DMA's guidance notes on processing contracts.]
This is a precedent agreement and members should take their own independent legal advice as to whether it is suitable for use in the member’s particular circumstances.
Guidance Notes for DMA Suggested Data Processing Agreement
General
1. This supplementary contract covers processing of data only. It does not cover issues such as the ownership of data which should already be covered in current contracts.
2. It is not possible to prepare a standard contract relevant to all the wide variety of circumstances likely to be found e.g. in mailing house, computer bureau, list broking, list management outsourcing. These guidelines therefore relate to a supplementary contract adding to the contractual relations already in place (for processing (including the contract price) the additional requirements set out in the Data Protection Act 1998.
3. The purpose of a supplementary contract for processing is to ensure that the data which are subject to processing are no less safe with the data processor than they would be if the processing was undertaken by the data controller himself.
4. The supplementary contract for processing can be used either by a data controller outsourcing to a data processor or a data processor secondary outsourcing work to a sub processor, provided the required changes are made as highlighted in the comments on the template. In the case of secondary outsourcing there must be a supplementary contract for processing between the data controller and the data processor. The data processor will become the data controller for the purposes of the sub- processing but only with regard to the transfer of data to the sub- processor. The data processor must check that their contract with the data controller allows them to outsource to a sub- processor and that, if required by the contract with the data controller, the appropriate consents have been obtained.
4. The Data Protection Act 1998 Schedule 1 Part II paras 9 – 12 sets out the interpretation of the 7th Principle which reads:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
5. Para 11 of Schedule 1 Part II requires the data controller to choose a data processor providing sufficient guarantees in respect of technical and organisational security measures governing the processing, and to take reasonable steps to secure compliance with those measures.
6. Para 12 says that the contract must be made or evidenced in writing and must provide that the data processor is to act only on instructions from the data controller.
7. Para 10 requires the data controller to take reasonable steps to ensure the reliability of its employees who have access to the data and para 12 (b) requires the contract to ensure that the data processor gives equivalent undertakings.
8. The security measures, taking account of “the state of technological development and cost of implementation,” must ensure a level appropriate to the harm that might result and the nature of the data to be protected.
9. When choosing a data processor the data controller should take out references and make other enquiries, e.g,. whether they are members of a recognised trade body, to establish the processor’s bona fides.
Terms in Supplementary Contract
The essential features are
a) name and address of both parties
b) clear delineation of the precise nature of the processing to be carried out, emphasising that the data processor must not take any action outside the description of processing laid down.
c) details on three separate issues
i) reliability of staff used by the data processor. This will in practice require staff entering into confidentiality undertakings as part of the terms and conditions of working
ii) technical measures taken by the data processor to avoid the possibility of unauthorised or unlawful processing or accidental loss, destruction or damage of the data concerned. This might involve written protocols to address access eg. password control, encryption, tracing, verification of parties communicating data, and the like. The data controller should consider asking the data processor to confirm that it has appropriate insurance cover against loss or damage to the data by any means should be considered.
iii) Organisational measures taken by the data processor – these include
• is access to the building or room controlled or can anybody walk in?
• are the precautions against burglary, fire or natural disaster adequate?
• can casual passers-by read data off screens or print-outs?
• are back-up copies of the data stored separately from the live files?
• is there a procedure for cleaning tapes and disks before they are re-used or is new data merely written over the old? In the latter case is there a possibility of the old personal data reaching somebody who is not authorised to use it?
• is printed material containing information extracted from personal data disposed of securely? Often it will be appropriate to dispose of printouts by shredding.
• is there a procedure of authenticating the identity of a person to whom personal data may be disclosed over the telephone prior to the disclosure of the personal data?
• is responsibility for the data processor’s security policy clearly placed on a particular person or department?
• are breaches of security properly investigated and remedied – particularly when damage or distress has been caused to an individual?
d) the liability of the data processor for any misfeasance, loss or damage should be limited to an amount agreed to by the parties, and could be insured.
Overseas Processing
In assessing the appropriateness of using a data processor in a third country (i.e. outside the European Economic Area (EEA), the 27 Member States of the European Union, plus Iceland, Liechtenstein and Norway) consideration should additionally be given to the political and legislative environment in which the data processor operates.
Sensitive Data
If sensitive data are to be processed the level of security should be greater than for non-sensitive data.
Precedent Data Processing Contract