Whenever goods or services are delivered against withdrawal, a contract is concluded. Sharpe Pritchard LLP and our team of data protection practitioners are able to provide your company with specialist legal advice on the application of the GDPR and the Data Protection Act 2018 and assist in the design and implementation of solutions to ensure compliance where necessary. It is important that you consider whether the delivery of the goods or services in question involves the processing of personal data. For example, in the case of an outsourced leisure centre, it is likely that the municipality`s leisure centre provider processes personal data (names, addresses and telephone numbers of residents who use your leisure centre) on your behalf. Even in cases where your contract does not focus on the provision of services to data subjects, for example.B. a construction contract for the installation of windows, it is likely that part of the processing of personal data will be carried out by your contractor. The Crown Commercial Service (“CSC”) published a guide for ccS providers on the steps to be taken in light of the implementation of the General Data Protection Regulation (“GDPR”) on 25 May 2018 (“the Guide”). The GDPR now strikes a more balanced balance between “processors” and “data controllers” – a data controller determines how and why personal data is processed, and a data processor acts on the instructions of the data controller. At present, direct obligations are only imposed on data controllers. However, according to the GDPR, a data processor is now faced with direct legal obligations and can be sanctioned by the Information Office (ICO) for non-compliance. In addition, data processors can now face claims for damages if they fail to meet their obligations. In practice, this means that changes must be made to existing supplier contracts.
With regard to processing activities, it is necessary to define the following points that can then be used to fulfil the personal data processing plan: the CCS, like other public bodies, has started to implement the Procurement Policy Note (PPN) 03/17, published in December 2017, which indicates how public sector buyers should update their contracts and has introduced standard generic clauses in line with the GDPR to replace existing data protection clauses. The PPN refers to a new timetable that will be used to define the nature of the personal data to be processed under contracts. You should check any existing consultation resulting from a CSC trade agreement existing after 25 May 2018 and which involves the processing of personal data, in order to ensure that it complies with the GDPR. As part of this notice of amendment, a new timetable will be set out which will define the nature of the personal data to be processed under the contract. This schedule is agreed between you and your client. A data protection processing plan, attached to the main contract for goods/ services, is the most frequently used contractual structure, which follows the development of industry standards developed by the CSC and which, if properly completed, is sufficient to ensure compliance. .