Data processing agreement

  • DATA CONTROLLER

    Where a Controller uses third party systems to process personal data, the responsibility for consent still lays with it. Controllers bear the onus of acquiring GDPR-standard consent (or indicating any other lawful basis for processing the data), demonstrate it to the regulator and ensure it can be withdrawn as easily as it was given. Therefore, selecting Processors who are themselves GDPR-compliant and can support the controller’s obligations is key.

    If the third party has processing purposes that are separate from the Controller's purposes, then the third party is deemed a Controller under Article 28.10. Here, the third party must secure its own legal basis for processing, whether by consent or another legal basis.

    The Controller may update its contracts to seek certainty that its Processors are adhering to the same GDPR standard and that any breach can be indemnified by the Processor. Meanwhile, if the Processor believes the Controller infringes GDPR, they have an obligation under Article 28 to inform the Controller and record the notification.

  • CCTV GDPR

    The legal requirements pertaining to surveillance and personal cameras are contained within the code of practice issued by the ICO.

    Surveillance is now a proactive technology which can identify people and keep detailed records of activities.

    As a consequence of the greater use of personal surveillance, the Protection of Freedoms Act (POFA) was passed in England and Wales. The POFA has seen the introduction of a new surveillance camera code and appointment of a Surveillance Camera Commissioner, while the ICO's code of practice adds even more enforcement powers.

  • GDPR terms and conditions

    The Key terms and definitions you need to know: 

    Binding corporate rules: personal Data Protection policies adhered to by controller or processor in the Member State for transfer of personal data to controller or processor in third country

    Originally devised by Article 29 Working Party to transfer secure large data internationally while reducing bureaucracy

    GDPR establishes conditions for Member State to establish own binding corporate rules to streamline international transfers.

  •  

    Practicalities of a data processing agreement

    Article 28 of the General Data Protection Regulation (GDPR) states the conditions of a data processing agreement between the data controller and the data processor.

    Recently, this agreement has been brought in to question, regarding its workability and whether it is actually working in the way it is prescribed in the GDPR requirements. https://gdpr-info.eu/art-28-gdpr/

    Organisations are usually established as the data controller, and the program they use acts as the data processer, i.e. Microsoft One Drive for Business, which is utilised by various companies. In accordance with Article 28 of the GDPR, an organisation should have a controller-processor agreement with their chosen software, which would usually be dictated by the data processor.

  • Subject Access Request outside of the EU

    On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).

    So, the question is whether data processors need to address the Subject Access Request without the controller or not?

Make a free enquiry, call now

0151 659 1070




Please let us know your name.



Please enter a valid telephone number



Please let us know your email address.



Please let us know your message.

Please tick the box below

Invalid Input

Invalid Input
I understand that by submitting my query to you, my personal data (name, email address and contact number) will be processed by you in order to contact me and assist me with my query. I confirm I have read and understood the Privacy Notice and I consent to you processing my data for the purpose of contacting me to assist me with my query.




How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070