|Author: ||Alasdair Taylor |
|Updated: ||4 January 2021 |
|Length: ||9 pages |
|Notes: ||11 pages |
|Format: ||MS Word (.DOCX) |
The GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) and its UK offspring include detailed rules on the content of contracts between organisations that act as processors of personal data and those that act as sub-processors. This agreement is designed to help both processors and sub-processors to comply with their obligations under the GDPR.
Note that we have a separate document for controller-processor contracts. To illustrate the different categories of actor here: a social network operator would usually be a controller, while a hosting services reseller providing services to the operator would usually be a processor, and the ultimate provider of the hosting services would be a sub-processor of the reseller.
This agreement can be used alongside a services agreement; and it can be used in addition to a services agreements that was signed in the past.
The basic T&Cs in this document are very much like the terms in our controller-to-processor data processing agreement. The main distinction is that the “standard contractual clauses” are unavailable as a way of transmitting personal data to a sub-processor not in the EEA/UK.