Author: | Alasdair Taylor |
Updated: | 4 January 2021 |
Length: | 9 pages |
Notes: | 11 pages |
Format: | MS Word (.DOCX) |
The GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) and its UK offspring include detailed rules on the content of contracts between organisations that act as processors of personal data and those that act as sub-processors. This agreement is designed to help both processors and sub-processors to comply with their obligations under the GDPR.
Note that we have a separate document for controller-processor contracts. To illustrate the different categories of actor here: a social network operator would usually be a controller, while a hosting services reseller providing services to the operator would usually be a processor, and the ultimate provider of the hosting services would be a sub-processor of the reseller.
This agreement can be used alongside a services agreement; and it can be used in addition to a services agreements that was signed in the past.
The basic T&Cs in this document are very much like the terms in our controller-to-processor data processing agreement. The main distinction is that the “standard contractual clauses” are unavailable as a way of transmitting personal data to a sub-processor not in the EEA/UK.