Data processor meaning

This Checklist outlines the main factors a controller would ordinarily consider when undertaking an audit with a view to assessing whether a potential or current processor of personal data is suitable under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). For more detail about controllers’ obligations and engaging processors within the UK GDPR regime, see the following Practice Notes: The UK General Data Protection Regulation (UK GDPR) Key definitions under UK data protection law Supply chains under data protection law—arrangements between controllers and processors Audits of processors Although processors subject to the UK GDPR have distinct duties under the legislation, controllers remain accountable for a processor’s handling of personal data carried out under their instructions and on their behalf. Under the accountability principle of the UK GDPR, the controller is responsible for, and must be able to demonstrate, compliance with the data protection principles in Article 5(1) UK GDPR—which include lawfulness, fairness and transparency; purpose limitation;...

This Checklist Use this Checklist when a customer appoints a supplier to process data on its behalf—for instance, a payroll or payment processing business operating under a stand-alone agreement. It addresses common issues encountered during the negotiation and preparation of data processing services agreements, covering both personal data and other data (eg statistical). The Checklist also contemplates agreements that involve processing personal data under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (the UK GDPR). For an introduction to the UK GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR). Where personal data is in scope, the assumption is that the supplier acts as processor (and not as controller) for the customer, who is the sole controller. For additional guidance on the terms ‘controller’ and ‘processor’, see Practice Note: Determining roles under data protection law in commercial transactions between businesses (processor, independent controller or joint controller). It is also assumed that both parties are acting in the course of business...

Flowchart This Flowchart outlines the key questions for deciding international jurisdiction in employment matters—namely, the appropriate forum for bringing proceedings and identifying the court and/or tribunal competent to hear the claim—applicable to proceedings commenced on or after 1 January 2021. For additional guidance on jurisdiction in employment disputes from 1 January 2021 onwards, consult Practice Note: International jurisdiction—the Civil Jurisdiction and Judgments Act 1982 in employment cases as set out therein...

How has the exemption available for controllers under the GDPR in relation to liability to compensate data subjects changed? Under the earlier Data Protection Directive 95/46/EC (Article 23(2)), where a person was entitled to damages from a controller due to unlawful processing, the controller could rely on a potential exemption if it was not responsible for the event that caused the loss. Recital 55 offered two illustrations of situations for which the controller would not bear responsibility: a mistake by the data subject, and a case of force majeure The language of these provisions lacked clarity, and the concept of ‘force majeure’ has no consistent definition across EU legal systems (it does not even carry a settled meaning in English law, depending heavily on contractual wording). Unsurprisingly, this carve-out, and the reference to force majeure, was therefore loosely carried across into national implementing legislation. For example, the Data Protection Act 1998 (DPA 1998) gave a controller a defence in claims for compensation...

Does the GDPR apply to unincorporated associations, such as sports clubs, and who is responsible for compliance by an unincorporated association with the GDPR? Who is ‘controller’ or ‘processor’? Yes—the General Data Protection Regulation, Regulation (EU) 2016/679, applies to unincorporated associations in the same way it applies to companies or partnerships. The GDPR’s definitions of a ‘controller’ and a ‘processor’ encompass both natural persons and legal persons. The challenge for unincorporated associations is that they are not legal persons. They have no separate legal personality; they exist by contract, and neither statute nor case law sets out clear, definitive rules for what their governing provisions must contain. What truly matters under the GDPR is not the category of person or entity undertaking the processing, but the overall activity of collecting and using personal data. The rationale is straightforward: the law should not be capable of being avoided, and there must always be an accountable individual or body answerable to data subjects. In that respect, there is no distinction. Determining...

The ICO stresses it has acted swiftly in step with rapid advances in generative AI. Demonstrating this agility, it opened a consultation series in January 2024 focused on generative AI and data protection. Its aim was to set out how organisations might build and implement generative AI while meeting UK data protection duties, especially those in the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). The ICO highlighted that adherence to the data protection framework is paramount when using generative AI, as such models are commonly trained on vast volumes of personal data. The consultation raised worries about insufficient transparency over how personal information is used within generative AI, which in turn creates the risk that data protection rights could be undermined...

Data security sits at the heart of the EU General Data Protection Regulation (EU GDPR). The sixth data protection principle—integrity and confidentiality—requires you to adopt suitable technical and organisational measures so that personal data is processed with appropriate security, including: protection against unauthorised or unlawful processing accidental loss, destruction, or damage This Practice Note reflects Data Protection Commission (DPC) guidance on personal data breaches under the EU GDPR, and also draws on guidance from the European Data Protection Board (EDPB). Data security requirements Article 32 puts practical detail behind the GDPR’s integrity and confidentiality principle. You must implement appropriate technical and organisational measures to achieve a level of security proportionate to the risk, taking into account: the nature, scope, context, and purpose of processing the risk of varying likelihood and severity for the rights and freedoms of data subjects Where appropriate, your security measures should include: the pseudonymisation and encryption of...

Data security sits at the heart of the UK General Data Protection Regulation (UK GDPR). The sixth data protection principle — integrity and confidentiality — obliges you to implement suitable technical and organisational steps so that personal data is handled with appropriate safeguards and security when processed, including: protection against unauthorised or unlawful processing accidental loss, destruction or damage This Practice Note draws on ICO guidance regarding personal data breaches under the UK GDPR. It also incorporates further practical pointers and information drawn from ICO guidance on managing data security breaches issued under the previous data protection regime; that guidance has now been withdrawn. The Practice Note additionally aligns with materials from the European Data Protection Board (EDPB). According to the ICO, although the UK has left the EU, these guidelines continue to be relevant. Data security requirements Article 32 expands upon the GDPR’s integrity and confidentiality principle by setting out further detail...

Practice Note This Practice Note sits within the Data Protection Negotiation Guide (Guide). This section covers negotiating clauses on erasure and handback of personal data once processing ends in agreements between controllers and processors that are subject to the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). For an introduction to the Guide, see Practice Note: Data protection negotiation guide—controller: processor—introduction. This Practice Note uses a number of common abbreviations, which are defined separately in that introduction. As explained in Practice Note: Data protection negotiation guide—controller: processor—introduction: the parties may commercially apportion the costs and expenses of fulfilling these obligations between themselves there are notable similarities between the UK GDPR and the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), and the Guide concentrates on the position under the UK GDPR. For information about the background to the UK GDPR and its relationship with the EU GDPR, see Practice Note: The UK General Data Protection Regulation (UK GDPR)—Summary of...

Danish SCCs A set of Standard Contractual Clauses (SCCs) designed to meet Article 28(3) of the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), specifically addresses contractual arrangements between controllers and processors and was formally issued by the Danish data protection supervisory authority (the Danish SCCs). Their release followed an opinion from the European Data Protection Board (EDPB). The Danish SCCs are distinct from SCCs that concern cross-border international personal data transfers under Chapter V of the EU GDPR...

Within this precedent, the following extra defined terms are used: ‘Agreement’, ‘Business Day’, ‘Charges’, ‘Customer’, ‘Services’, ‘Supplier’ and ‘Supplier Personnel’. They are not specific to data processing and are assumed defined separately in the relevant agreement...

Note These provisions are prepared on the basis that the applicable contract is a business-to-business arrangement, with the supplier acting as processor for a customer in the role of controller, in relation to the processing of personal data governed by the United Kingdom General Data Protection Regulation (UK GDPR), Assimilated Regulation (EU) 2016/679. The terms ‘supplier’ and ‘customer’ (in place of ‘processor’ and ‘controller’) are used to simplify incorporation into commercial contracts. The drafting also relies on the additional defined terms ‘Agreement’, ‘Business Day’, ‘Customer’, ‘Data Protection Laws’, ‘Data Subject’, ‘GDPR’ and ‘Supplier’, which are assumed to be defined appropriately elsewhere in the relevant agreement. It is further assumed that ‘GDPR’ refers to UK GDPR and that ‘Data Protection Laws’ includes UK GDPR. These provisions can also be adapted for circumstances where the EU General Data Protection Regulation (EU GDPR), Regulation (EU) 2016/679, applies... 1 Definition (to be incorporated into relevant part of the agreement) 1.1 Representative •...