Legal Precedents

STOP PRESS: On 19 June 2025, the Data ( Use and Access) Bill obtained Royal Assent, becoming the Data ( Use and Access) Act 2025 ( DUAA 2025) and partially commencing on that date. Certain DUAA 2025 provisions, addressing areas such as dealing with data subject access requests and conferring powers to make further regulations, took effect immediately on 19 June 2025. Other provisions, concerning notices from the Information Commissioner and particular elements of law enforcement processing, came into effect on 19 August 2025 (two months from Royal Assent). The majority of DUAA 2025’s measures require additional regulations, by way of statutory instruments, before they can commence. Parts 5 and 6 of DUAA 2025 operate to amend elements of UK data protection and e Privacy law, including the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data...

This Agreement is entered into on [ date ]. Parties [ Insert name of party ] [ of [ insert address ] OR a company incorporated in [ England and Wales ] with registration number [ insert registered number ], whose registered office is at [ insert address ] ] (the Recipient); and [ Insert name of party ] [ of [ insert address ] OR a company incorporated in [ England and Wales ] with registration number [ insert registered number ], whose registered office is at [ insert address ] ] (the Discloser), Each of the Discloser and the Recipient is a party and, collectively, the Discloser and the Recipient are the parties. Background The Recipient conducts the business of [ insert details ], and the Discloser engages in the business of [ insert details ]. The Discloser intends to...

Hardship Hardship means [ , subject to clause [ 1.6 OR 1.7 ] , ] a [ fundamental OR material ] alteration in the equilibrium of a party’s benefits and obligations under this Agreement, brought about by a [ legal, technical, political, economic or financial ] event (or events) that arises [ or the impact of which becomes known to the affected party ] during the term of this Agreement and which: is not a [ insert (eg ‘ Force Majeure Event’ or ‘circumstance to which clauses [ X] or [ Y] relate’) ]; [ except in the case of the circumstances referred to in [ insert reference eg to clause 1.6 or 1.7 if appropriate ], ] could not reasonably have been foreseen, mitigated or avoided by the Disadvantaged Party at the time of execution of this Agreement; is outside the control of [ the...

Stop press: The Data ( Use and Access) Act 2025 ( Commencement No 6 and Transitional and Saving Provisions) Regulations 2026 ( SI 2026/82) activate the remaining provisions of the Data ( Use and Access) Act 2025 ( DUAA 2025). Provisions on subject access requests, legitimate interests, purpose limitation, automated decision-making, international transfers and enforcement apply from 5 February 2026, while measures on penalty notices and complaints take effect from 19 June 2026. For further guidance, see Practice Note: Data ( Use and Access) Act 2025—employment implications. This Precedent will be updated shortly to reflect these developments. 1 Introduction The Company upholds the highest standards of information security and treats confidentiality and data protection with the utmost seriousness. This bring your own device ( BYOD) policy complements the Company’s other policies and procedures, which collectively require staff to take...

This [ page ] constitutes a section of our privacy policy and offers expanded detail on the recipients of your personal data, complementing the summary found in [ insert as appropriate, eg section [ insert ] of our privacy policy ]. For ease, terms bear the same meanings as used throughout the policy......

STOP PRESS: On 19 June 2025, the Data ( Use and Access) Bill secured Royal Assent, transforming into the Data ( Use and Access) Act 2025 ( DUAA 2025), with partial commencement on that very same day. A number of DUAA 2025 provisions, covering areas like handling data subject access requests and granting powers to make additional regulations, took effect immediately on 19 June 2025. Other related provisions, relating to Information Commissioner notices and certain aspects of law enforcement processing, commenced on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s measures still require further regulations, in the form of statutory instruments, to be made in order to bring them fully into force. Parts 5 and 6 of DUAA 2025 serve to amend several facets of data protection and e Privacy law in the UK,...

STOP PRESS: On 19 June 2025, the Data ( Use and Access) Bill secured Royal Assent, becoming the Data ( Use and Access) Act 2025 ( DUAA 2025), with partial commencement on that date. In force from 19 June 2025: provisions on handling data subject access requests and the granting of powers to make further regulations. In force from 19 August 2025 (two months after Royal Assent): measures relating to notices from the Information Commissioner and certain aspects of law enforcement processing. The majority of DUAA 2025’s measures will commence only when further regulations, in the form of statutory instruments, are made. Parts 5 and 6 of DUAA 2025 amend elements of UK data protection and e Privacy law, including the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic...

An e-signature, or a signed signature page transmitted by email, shall carry the same effect as an original signature page executed in wet ink. Execution of this Agreement by email, or through any other electronic method, shall be regarded as valid execution by the parties and shall constitute effective execution of this Agreement. The parties may rely on such electronic signatures in lieu of wet-ink signature page(s) of this Agreement for any and all purposes......

STOP PRESS: On 15 January 2026, the Information Commissioner’s Office issued updated UK GDPR guidance on international transfers, including advice on ‘appropriate safeguards’ (see: LNB News 16/01/2026 10). It confirms the UK Addendum can be concluded in any manner that renders it legally binding and enforceable, and clarifies how Part 2 ( Mandatory Clauses) of the UK Addendum can be incorporated by reference by inserting specified wording into the contract. This Precedent is being revised to align with that guidance. For clause 1, UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the United Kingdom’s Information Commissioner. The [insert defined term for party, eg Supplier] must meet the Importer’s obligations, and the [insert defined term for party, eg Customer] must meet the......

[ insert name and address of sender ] ( We) Our reference: [ insert reference ] Your reference: [ insert reference ] [ insert address of recipient ] ( You) 1 In this letter, the following terms have the following meanings: 1.1 Affiliate refers to any entity that, directly or indirectly, Controls, is Controlled by, or is under shared Control with, another entity; 1.2 Authorised Persons denotes the officers and directors, members and partners, employees, consultants, sub-contractors, agents, representatives, or professional advisers of a party and/or its Affiliate(s); 1.3 Confidential Information means all information of a confidential nature that either we or you hold or obtain from the other (whether directly or indirectly), including the other’s know-how, trade secrets, plans, developments, financial, commercial, technical, tactical, strategic, marketing, operations, customer or product information, personnel information, any information marked as or agreed to be...

This Agreement is entered into on [ date ] Parties [ insert name of party ] [ of [ insert details ] OR a company incorporated in [ England and Wales ] under number [ insert registered number ] whose registered office is at [ insert address ] ] ( Party A ); [ insert name of party ] [ of [ insert details ] OR a company incorporated in [ England and Wales ] under number [ insert registered number ] whose registered office is at [ insert address ] ] ( Party B ), each of Party A and Party B being a party and together they are the parties......

This precedent is for use between a processor and sub-processor. It presumes the sub-processor can negotiate relatively advantageous terms, and that the initial processor has contracted with the controller by reference to Precedent: Personal data processing schedule—pro-supplier— UK GDPR and EU GDPR. For a compilation of standard provisions suitable for contracts between a controller and a processor, see: List of data protection clauses and agreements for commercial transactions and personal data processing and sharing. This precedent also relies upon additional defined expressions—‘ Agreement’, ‘ Business Day’, ‘ Charges’, ‘ Customer’, ‘ Services’, ‘ Supplier’, and ‘ Supplier Personnel’—which are not intended to be unique to this schedule and are expected to be defined separately within the applicable agreement......

This precedent applies to arrangements between a processor and sub-processor, and presumes the customer (acting as the original processor) intends to pass through terms settled with a controller, by reference to Precedent: Personal data processing schedule—pro-customer— UK GDPR and EU GDPR. For a list of precedent provisions for use between a controller and processor, see: List of data protection clauses and agreements for commercial transactions and personal data processing and sharing. This precedent also employs the additional defined terms ‘ Agreement’, ‘ Business Day’, ‘ Customer’, ‘ Services’, ‘ Supplier’ and ‘ Supplier Personnel’, which are unlikely to be unique to this schedule and are assumed to be defined elsewhere within the relevant agreement......

Chapter V ( Transfers of personal data to third countries or international organisations) In brief, the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), restricts the transfer of personal data beyond the UK (and to certain ‘international organisations’). ‘ Assimilated law’ is the label applied to retained EU law that continues in force after the end of 2023. For further information, see Practice Note: Assimilated law and News Analysis: Implications of the move to ‘assimilated’ law, and the Retained EU Law ( Revocation and Reform) Act 2023, for data protection lawyers. One of the most frequently relied upon transfer mechanisms used to comply with those international transfer restrictions is commonly known as standard contractual clauses ( SCCs). This document includes a link to a template SCC issued by the UK Information...

Chapter V ( Transfers of personal data to third countries or international organisations) In summary, Chapter V of the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), places limits on sending personal data outside the UK and to certain ‘international organisations’. A frequently used route to satisfy these international transfer rules is the use of standard contractual clauses ( SCCs). This document provides a link to a template SCC released by the UK Information Commissioner’s Office ( ICO) in 2022. The key details of that template SCC are: Name: International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (the Addendum) Purpose: An addendum that can be used to rely on the SCCs issued by the European Commission in June 2021 for use under the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR) as an SCC...

Within this precedent, the following extra defined terms are used: ‘ Agreement’, ‘ Business Day’, ‘ Charges’, ‘ Customer’, ‘ Services’, ‘ Supplier’ and ‘ Supplier Personnel’. They are not specific to data processing and are assumed defined separately in the relevant agreement......

This template relies on extra defined expressions ‘ Agreement’, ‘ Business Day’, ‘ Customer’, ‘ Services’, ‘ Supplier’ and ‘ Supplier Personnel’, which are generic rather than data-processing specific, and are presumed to be set out elsewhere in the applicable contract......

FORTHCOMING CHANGE On 19 June 2025, the Data ( Use and Access) Bill secured Royal Assent, thereby transforming into the Data ( Use and Access) Act 2025 ( DUAA 2025) and taking partial effect immediately on that same day. Parts 5 and 6 modify elements of UK data protection and e Privacy law across the domestic framework, expressly covering the United Kingdom General Data Protection Regulation, the Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications ( EC Directive) Regulations 2003, SI 2003/2426, as relevant measures. Some DUAA 2025 measures, addressing issues like handling data subject access requests and granting authority to make further regulations, also commenced straightaway on 19 June 2025 without delay. Other elements, relating to notices from the Information Commissioner and certain facets of law enforcement processing, take effect on 19 August 2025 (two...

STANDARD CONTRACTUAL CLAUSES SECTION I Clause 1 Purpose and scope The objective of these standard contractual clauses is to guarantee observance of the requirements of Regulation ( EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protecting natural persons in relation to the processing of personal data and the free movement of such data ( General Data Protection Regulation) (1) for transfers of personal data to a third country. The Parties: (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (collectively, ‘entity/ies’) that transfer the personal data, as set out in Annex I. A (each a ‘data exporter’), and (ii) the entity/ies in a third country that receive the personal data from the data exporter, whether directly or indirectly via another entity that is also a Party to these Clauses, as set out in...

STANDARD CONTRACTUAL CLAUSES SECTION I Clause 1 Purpose and scope The aim of these standard contractual clauses is to secure compliance with Regulation ( EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 regarding the protection of natural persons in relation to the processing of personal data and the free movement of such data ( General Data Protection Regulation) (1) for transfers of personal data to a third country... The Parties: the natural or legal person(s), public authority/ies, agency/ies, or other body/ies (together ‘entity/ies’) that transfer the personal data, as identified in Annex I. A (each a ‘data exporter’), and the entity/ies in a third country receiving the personal data from the data exporter, either directly or through another entity that is also a Party to...