Data (Commercial) meaning

This Checklist This Checklist identifies the principal terms to weigh up within a consultancy agreement. It draws attention to points affecting the customer, matters impacting the consultant, and considerations shared by both sides for incorporation into a consultancy agreement. The Checklist supports both consultant and customer as they assess and bargain over a consultancy agreement, effectively guiding review and negotiation throughout the process. See also: Taking instructions for a consultancy agreement—checklist...

Flowchart This Flowchart assists in identifying and selecting which Precedent agreement for the supply of services is best suited for use in a particular situation or circumstance. An at-a-glance table likewise summarises the principal underlying drafting assumptions for each of the Precedent agreements, providing an alternative means of deciding the most appropriate Precedent to deploy in any given situation or context. Only business-to-business (B2B) Precedent options are addressed by the Flowchart together with the accompanying table...

This checklist This checklist highlights the principal issues to address when preparing contractual terms for business to business agreements on product safety and liability. See Practice Note: Product liability risk management for producers for guidance on controlling risk ahead of new supply arrangements, including carrying out appropriate due diligence on other relevant businesses in the supply chain. Identify all applicable laws (eg Sale of Goods Act 1979, Sale and Supply of Goods Act 1994, Consumer Protection Act 1987, General Product Safety Regulations 2005, SI 2005/1803, Consumer Rights Act 2015 and Digital Markets, Competition and Consumers Act 2024), as well as any standards and codes of practice that govern the products. Take into account specific legislation for the manufacture, import and sale of particular goods such as fireworks, cosmetics, toys, pharmaceuticals and medical devices, personal protective equipment (PPE), gas appliances, food and animal feed, and automotive. See Practice Notes: Consumer protection for defective or dangerous products—legal bases, Product liability and defective products and General Product Safety Regulations...

The EU General Data Protection Regulation (EU GDPR) sets out several rights for data subjects, including the right to access their personal data, and rights to rectification, erasure, restriction of processing and data portability. Data subjects may ask an organisation to exercise one or more of these rights at any time, and strict deadlines apply to meeting such requests. For comprehensive guidance on managing data subject access requests, see Practice Note: Ireland-How to handle data subject access requests. This Flowchart outlines a process for dealing with data subject requests made under the EU GDPR. It reflects the Regulation’s requirements alongside guidance issued by the Data Protection Commissioner (DPC), and should be read with Practice Note: Ireland-How to handle data subject access requests and Ireland-Evaluating a data subject access request-flowchart, where relevant. Note 1-data subject requests The EU GDPR grants data subjects a number of rights, including: a right of access to their personal data rights to rectification, erasure and restriction of processing a...

This Flowchart This Flowchart helps determine the appropriate rate of stamp duty land tax (SDLT) for the transaction in question. Different SDLT rates may apply to purchases depending on the property type (residential, non-residential (commercial property), or mixed-use property). Use this Flowchart in conjunction with Practice Note: Rates of SDLT. This Flowchart proceeds on the basis that: the buyer is acquiring a single property and the purchase is not linked with any other transaction. For further detail on linked transactions, see Practice Note: SDLT chargeable consideration—Linked transactions no relief from SDLT applies to the transaction...

This Flowchart This Flowchart supports your decision on whether a data protection impact assessment (DPIA) is necessary when initiating a new project that involves personal data from the outset, helping you decide effectively. It sets out: three scenarios in which a DPIA is mandatory under Article 35(3) of Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR); and ten further processing activities for which the Information Commissioner’s Office (ICO) requires a DPIA to be carried out Where a DPIA is not needed, you should think about using a simpler form of review, which we call a privacy impact assessment (PIA) instead. The Flowchart enables you to determine which assessment—DPIA or PIA—best fits your project in practice. For additional guidance on DPIAs and PIAs, see Practice Note: How to complete a data protection impact assessment—DPIA...

In this issue: Key DR developments Cross-border disputes Pre-action and limitation Litigation Case management Evidence and disclosure ADR Scottish Dispute Resolution Dates for your diary Useful information Daily and weekly news alerts Key DR developments Guidance and reports Courts and Tribunals Judiciary publishes February 2026 updated edition of the Equal Treatment Bench Book: The Courts and Tribunals Judiciary has issued an interim February 2026 update to the Equal Treatment Bench Book. For more information, see: Courts and Tribunals Judiciary publishes February 2026 updated edition Equal Treatment Bench Book—LNB News 26/02/2026 28. HCCH publishes 2025 annual report highlighting private international law developments The Hague Conference on Private International Law (HCCH) has released its 2025 annual report, noting the creation of two new Experts’ Groups to examine private international law topics linked to Digital Tokens and Carbon Markets. For more information, see: HCCH publishes 2025 annual report highlighting private international law...

On 19 November 2025, the Commission unveiled its Digital Omnibus proposal. It comprises two principal strands: one delivering ‘quick fixes’ to pain points in Regulation (EU) 2024/1689, the EU AI Act, and another, more intricate, amending the data acquis, most notably Regulation (EU) 2016/679, the EU General Data Protection Regulation (EU GDPR), Directive 2022/58/EC, the ePrivacy Directive, and Regulation (EU) 2023/2854, the EU Data Act. The headline items are delays to the high-risk AI rules under the EU AI Act, and a fresh EU GDPR lawful basis of legitimate interest for processing personal data when developing or operating AI systems (with safeguards). There is much to absorb—just as we get to grips with the new regime, changes are proposed, some bound to be disputed while others will be seen as eminently sensible. Here we outline the key points. EU GDPR The EU’s flagship legislation, the EU GDPR, is poised for its first substantial overhaul, with several significant amendments on the table...

MLex was informed by the Data Protection Commission that it has written to DeepSeek seeking details about how it processes data relating to individuals in Ireland. The watchdog declined to add anything more for now. Ordinarily, the DPC acts as the principal data regulator handling privacy issues involving major technology companies in the EU, since many base their European headquarters there. However, DeepSeek’s operators lack an EU establishment, so any member state authority is able to open a probe into issues impacting its own jurisdiction directly too...

Data security sits at the heart of the EU General Data Protection Regulation (EU GDPR). The sixth data protection principle—integrity and confidentiality—requires you to adopt suitable technical and organisational measures so that personal data is processed with appropriate security, including: protection against unauthorised or unlawful processing accidental loss, destruction, or damage This Practice Note reflects Data Protection Commission (DPC) guidance on personal data breaches under the EU GDPR, and also draws on guidance from the European Data Protection Board (EDPB). Data security requirements Article 32 puts practical detail behind the GDPR’s integrity and confidentiality principle. You must implement appropriate technical and organisational measures to achieve a level of security proportionate to the risk, taking into account: the nature, scope, context, and purpose of processing the risk of varying likelihood and severity for the rights and freedoms of data subjects Where appropriate, your security measures should include: the pseudonymisation and encryption of...

This Practice Note forms part of the Lexis+® UK Corporate private equity buyout transaction toolkit. Beyond choosing between a share sale and an asset sale structure, a range of matters should be weighed at the outset of a private equity buyout (MBO), before due diligence begins and the principal transaction documents are negotiated. These matters can influence the core commercial and legal terms, so each side is well advised to address them before settling any headline terms (and before executing heads of terms for both the acquisition and equity elements) and before fixing the transaction timetable. The topics outlined below (and in the Practice Notes referenced in this sub‑phase) may remain relevant throughout the deal, particularly during negotiation of the formal documentation, but they are highlighted early because lawyers for all interested parties ought to consider them and brief their clients as soon as possible. Corporate issues to consider Selected corporate law points are outlined below; applicability will vary with the nature of the deal and the parties...

This Practice Note This Practice Note offers a high-level overview of the data protection framework relevant to direct marketing, particularly how such activities may give rise to compliance obligations under the Assimilated Regulation (EU) 2016/679, the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003), SI 2003/2426. It is aimed at commercial organisations in the UK, with further, scenario-specific guidance signposted. The main difficulty in direct marketing is determining what the UK GDPR and PECR 2003 permit and whether consent is needed, which will differ according to the activity undertaken and the audience targeted. This Practice Note reflects the following ICO guidance: Direct marketing guidance Direct marketing using live calls Making live marketing calls about claims management services Making live marketing calls about pension schemes Direct marketing using electronic mail Guide to PECR, cookies and similar technologies Guide to PECR, what counts...

Use this in conjunction with our Decision-making guide, which outlines our organisation’s approach to decision-making and explains why we have such a process in place. We recognise that colleagues make decisions at work every day. We do not expect you to follow the Decision-making guide and this framework for minor or operational business decisions, though some of the principles in this framework may prove helpful in day-to-day practice. The Decision-making guide and framework should be applied whenever a significant business decision is required, so that such choices are grounded in evidence and logic. A significant business decision is one that [ insert your criteria, eg may have a significant effect on our business, operations, staff, customers or external stakeholders ], eg [ insert examples eg a decision to proceed with a key project or business initiative, a decision relating to a complex situation or that is likely to have a commercial impact ]. The full criteria for a significant business decision is set out in the Decision-making guide. This framework...

Note These provisions are prepared on the basis that the applicable contract is a business-to-business arrangement, with the supplier acting as processor for a customer in the role of controller, in relation to the processing of personal data governed by the United Kingdom General Data Protection Regulation (UK GDPR), Assimilated Regulation (EU) 2016/679. The terms ‘supplier’ and ‘customer’ (in place of ‘processor’ and ‘controller’) are used to simplify incorporation into commercial contracts. The drafting also relies on the additional defined terms ‘Agreement’, ‘Business Day’, ‘Customer’, ‘Data Protection Laws’, ‘Data Subject’, ‘GDPR’ and ‘Supplier’, which are assumed to be defined appropriately elsewhere in the relevant agreement. It is further assumed that ‘GDPR’ refers to UK GDPR and that ‘Data Protection Laws’ includes UK GDPR. These provisions can also be adapted for circumstances where the EU General Data Protection Regulation (EU GDPR), Regulation (EU) 2016/679, applies... 1 Definition (to be incorporated into relevant part of the agreement) 1.1 Representative •...

This Agreement is entered into on [ date ] Parties [ insert name of party ] [ of OR a company incorporated in [ England and Wales ] with registration number [ insert registered number ], whose registered office is at [ insert address ] ] (the Principal); and [ insert name of party ] [ of OR a company incorporated in [ England and Wales ] with registration number [ insert registered number ], whose registered office is at [ insert address ] ] (the Agent), (each of the Principal and the Agent is a party and, taken together, the Principal and the Agent are the parties). Background The Principal provides the Services (as defined below). The Principal intends to appoint the Agent as its non-exclusive agent within the Territory (as defined below) for the [ marketing OR marketing and sale ] of the Services, on the terms of this Agreement. The Agent has agreed...