Data Protection


Writing Contracts | Data protection guidance

Contracts are required to ensure that third parties comply with UCL data protection requirements.


Background information

Risks and Responsibilities

Ensure old and new contracts address the changes post GPDR to cover the latest Data Protection legislation.

  • Most contracts will already include clauses which address data protection issues, but it is highly likely that many contracts at the time they were completed would not have made provision for the possibility of the DPA 1998 being superseded, never mind the requirements of the new data protection legislation.
  • You should review your existing contracts which will still be live by the time the new data protection legislation is in force and check the data protection clauses within them. It is highly likely the clauses within these contracts will need to be updated to ensure that the data protection obligations reflect the data protection legislation requirements.
  • Equally, any contracts currently being negotiated should contain provisions which incorporate the GDPR. Otherwise, you run the risk of breaching data protection legislation as soon as it applies.

Key Clauses to Include

Data protection legislation requires very specific provisions to be included in a written contract between a controller and a processor. 

Minimum to set out in contract

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subject; and 
  • the obligations and rights of the controller.

Minimum clauses to include

  • only act on the written instructions of the controller;
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing;
  • only engage sub-processors with the prior consent of the controller and under a written contract; assist the controller in providing subject access and allowing data subjects to exercise their rights under the data protection legislation;
  • assist the controller in meeting its data protection legisaltion obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract; and
  • submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the data protection legislation or other data protection law of the EU or a member state.

Differences in clauses according to the relationship type

The type of clauses that you will need to add to the contract will depend on the relationship between the contracting parties.

Possible relationships:

  • Controller to Controller
  • Controller to Processor
  • Processor to Sub-Processor

You can contact the Data Protection Office if you require further assistance.

Future changes

In the future, standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However, at the moment no standard clauses have been drafted.

Which Contracts

Most contracts are likely to be affected.

You need to consider data protection legislation when negotiating any contracts which involve the sharing of personal data between the parties or processing personal data generally; this will cover most contracts.

Check existing contracts

Any contracts in place with Processors on 25 May 2018 will need to meet the new data protection legislation requirements.
You should, therefore check your existing contracts with Processors to make sure they contain all the required elements. If they do not, you should get new contracts drafted and signed. You should review all template contracts you use.