Checklist for ensuring your data processing addendum complies with the UK GDPR

1. Details of processing

The data processing addendum must include, as a minimum, the following information about the processing that is taking place by the processor under the arrangement: (i) subject-matter of the processing; (ii) the duration of the processing; (iii) the nature and purpose of the processing; (iv) the type of personal data (e.g. name, address, IP address, health data); and (v) categories of data subjects (e.g. customers, employees).

2. Documented instructions

An obligation must be included on the processor to only process personal data in accordance with the controller’s documented instructions. Those instructions could be set out in the data processing addendum itself, or provided by the controller in writing at a later date.

3. Duty of confidentiality

A clause must be included that ensures that persons authorised to process the personal data under the data processing addendum have committed themselves to binding confidentiality obligations.

4. Security measures

The processor must be required to implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the controller’s personal data. This could include:

• the pseudonymisation and encryption of the controller’s personal data. Pseudonymisation means techniques that replace, remove or transform information that identifies individuals, and keep that information separate;

• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• the ability to restore the availability and access to the controller’s personal data in a timely manner in the event of a physical or technical incident; and

• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5. Conditions for appointing sub-processors

Where a processor engages another processor (known as a sub-processor) to carry out specific processing activities on behalf of the controller, the same data protection obligations as set out in the data processing addendum between the controller and the processor must be flowed down and imposed on that sub-processor. Find out more about appointing sub-processors with these FAQs.

6. Assisting with data subject rights requests

The processor must assist the controller in responding to any request from a data subject, which could include: (i) recording and referring all requests and communications received from data subjects to the controller within a specified time period; and (ii) not responding to any such requests without the controller’s express written approval, unless and to the extent required by applicable law.

7. Assisting with other controller’s obligations

The processor must also assist the controller with other legal obligations, including notifying the controller if it becomes aware of any personal data breach and assisting the controller with the data breach reporting process.

8. Delete or return personal data on termination

At the choice of the controller, the processor must be required to either delete or return all the personal data to the controller after the end of the provision of services relating to processing.

9. Records and audit

The processor must be required to make available to the controller all information necessary to demonstrate compliance with the obligations set out in the data processing addendum and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

10. Obligation to inform the controller if its instruction infringes DP laws

A clause should be included that requires the processor to notify a controller if an instruction given by the controller infringes data protection laws.

11. Conditions for international transfers

The processor must follow the controller’s instructions with respect to international transfers of personal data, including any restrictions on transferring personal data outside of the UK and EEA.

Final thoughts

Docue’s data protection addendum template includes all of the clauses listed above, plus more optional clauses too. Our data protection addendum template has been drafted by privacy lawyers to help your business be compliant with data protection laws - our lawyer-drafted guidance notes are there to guide you through the process so you can easily create your data processing addendum.

Unsure if you need a data processing addendum? Read our handy guide to when your business needs to use a data protection addendum template to comply with the UK GDPR.

Sign-up now to use Docue's data processing addendum template.