This Data Processor Agreement is for a company or organisation that is a data controller and appoints a third party to provide services as a data processor. The contract is designed to comply with GDPR (General Data Protection Regulation).
Written from the data controller’s perspective, the Data Processor Agreement comprises a one-page Form of Agreement, Terms and Conditions, plus Schedules to be completed detailing the Services, Fees, and Insurance.
The Terms and Conditions contain 18 clauses covering:
- scope of contract
- data processor’s obligations
- review and inspections
- price and payment
- intellectual property
- indemnity, liability and insurance
- assignment and subcontracting
- disputes and governing law
- general clause.
This data processor appointment is a template for use by an organisation which wants support in handling/processing personal data. Under the Data Protection laws and the European GDPR, there are numerous obligations on organisations with regard to data protection and outsourcing to a suitable company can be useful.
As well including clauses to ensure compliance with the GDPR and data protection laws, the data processor agreement includes terms allowing for inspection. The processor gives the controller warranties and indemnities and there are clear confidentiality obligations. The schedules will be completed for each contract and our template has some alternative suggestions with regard to fee arrangements.
This Data Processor Appointment services agreement is designed for use by a company that is controller of a lot of personnel data and wants to appoint another company to process that data on its behalf, obtain services from another business – referred to in the agreement as the . It is designed to reflect the requirements of the EU’s GDPR (General Data Protection Regulation) that is in effect in the UK and throughout the EU from 25 May 2018.
The contract is in three parts – first, a one page Form of Agreement that is signed by both parties, second, Terms & Conditions and, third, Schedules which are left blank and need to be filled in specifying the services, the programme and the fee arrangements. The Terms & Conditions are written from the Company’s point of view and, while fair, are designed to protect the Company rather than the Processor.
FORM OF AGREEMENT
This identifies the contractual parties, the commencement date and completion date (if relevant) and states that the contract between the Company and the Processor comprises the Form of Agreement, attached Terms & Conditions and completed schedules.
TERMS & CONDITIONS
This contains a few defined terms used in the contract.
2. SCOPE OF CONTRACT
This briefly sets out the basic arrangement between the Company and the Processor who will carry out the services and the Company will pay the agreed fees for those services.
3. PROCESSOR’S OBLIGATIONS
This clause contains some general obligations as well as detailed obligations in clause 3.2 that are required by the GDPR and the ICO in the UK.
If there is a programme for any of the services, e.g. in getting personal data on Processor’s system, this clause will be relevant and the programme will be in Schedule 1 of the Agreement.
This makes it clear that the Processor’s personnel should be suitably qualified and subject to confidentiality obligations. The clause also provides for a representative to be identified as the Processor’s main point of contact with the Company.
This sets out the procedure for changing the scope of the services – and deals with the price and time implications of a variation. The clause makes it clear that an estimate of the likely cost has to be provided by the Processor and the Company can then consider whether or not to go ahead with the extra services.
7. REVIEW & INSPECTIONS
The company has the right to review and approve any services. Also, any errors or defects have to be corrected by the Processor at its own expense. The Company has the option to withhold payment pending correction as well as the right to get the work done by someone else.
In addition, the Company has the right to visit the Processor and inspect its systems and security. The possibility of an inspection by GDPR supervisory authorities is also referred to in this clause.
8. PRICE AND PAYMENT
This clause refers to Schedule 2 where the contract price and fee arrangements are to be set out. The wording of the clause goes on to state that invoices must be accompanied by relevant supporting documents and specifies a payment date – our document says 28 days from receipt of invoice. The Company is allowed to withhold money if it has reason to do so, but it is required to give notice with reasons to the Processor.
Late payment will entitle the Processor to interest. Our clause proposes an interest rate of 3% above Base Rate. In the UK, if the contract does not specify an interest rate, the law allows an unpaid party to a contract to claim a high rate – 8 per cent above Base Rate under the Late Payment of Commercial Debts (Interest) Act. So, from the Company’s point of view it is better to specify the rate.
Here the Processor warrants – i.e. guarantees – to the Company that it will implement appropriate measures to meet GDPR standards as well as exercise a high degree of skill and care.
The Company has the right to terminate for convenience at any time on giving 30 days’ notice. It can also terminate if the Processor fails to perform. The Processor can terminate for non-payment and either party can terminate if the other becomes insolvent. The clause also deals with the consequences of termination.
11. INTELLECTUAL PROPERTY
Especially when the Processor has access to Company software and other intellectual property, it is sensible to have wording designed to protect the Company’s intellectual property rights and this is the purpose of our wording. Similarly, the Processor retains ownership of its own IP.
12. INDEMNITY, LIABILITY & INSURANCE
Here, the Processor gives an indemnity to the Company – i.e. agrees to make good all loss suffered by the Company – due to negligence on the part of the or its personnel that cause death or injury or damage to property. In addition, the Processor gives an indemnity with respect to intellectual property rights.
Liability for GDPR breaches is also covered, including the possibility of penalties that might be imposed under various articles of the GDPR
A data processor would usually have public liability insurance to cover against injury or death or damage to third party property. They may also have professional indemnity insurance to protect them against negligence claims.
The contract does not contain any limit on the potential liability of the Processor, nor is there a clause excluding liability for loss of profits or consequential losses. This is sometimes requested and it can be sensible to agree – if only because most companies would not have the resources to meet a really large claim. But in such a case, insurance is important.
Our clause deals briefly with the insurance issues by reference to Schedule 3, which is, in effect, optional depending on the circumstances.
This imposes strict confidentiality obligations on the Processor. In addition, any publicity concerning the contract (e.g. if the wants to refer to it in his brochures) has to be approved in advance by the Company.
14. ASSIGNMENT AND SUBCONTRACTING
Consent is required before the Processor can assign or sublet any of his rights or obligations to a third party.
Our contract provides for a three-stage process for dealing with any dispute that arises – direct negotiation, mediation and then the courts. Our form says English law will apply, but this can be changed as appropriate. We have free information on our website that deals with these issues: Z139 and Z140.
This is a fairly standard clause dealing with notices given under the Agreement.
This clause contains what are known to lawyers as ‘boiler plate’ provisions.
These are largely left blank, except for some headings, and they should be filled in before the contract is signed. In the Payment schedule, some illustrative wording is shown in italics as there are various possibilities and we have shown two – a fixed fee, with a schedule of payments (probably linked to activities) and an estimated fee, with charges calculated by reference to daily or hourly rates (in which case an overall cap may be sensible).
It is sensible to have agreed rates for extra services agreed at the time the contract is signed as well as agreement on what expenses are chargeable in addition to fees and our schedule allows for these.