A lot of the focus on the new data handling and processing rules that came into force on 25th May 2018 under the General Data Protection Regulation (GDPR) has been on systems and processes; for example, how as businesses, we’re all requesting, collecting, using, sharing and storing data belonging to others (whether those others are employees, actual or target customers, and others).
We need to look at the legal documentation that supports those activities and relationships too. Often, we’re not looking at large or wholesale changes to these documents, but nevertheless, many of the standard data protection and data handling terms on which businesses have relied to date will need refreshing in order to ensure compliance.
In our guide How to ensure your existing employment contracts are GDPR-compliant, together with Farillio’s trusted legal experts on employment law and commercial law, Pam Sidhu and Helen Smart, we took a look at your options for handling the impact of the new regulations on the data protection clauses that may be included in your existing employment contracts, as well as how to handle your employee-related privacy notices and internal data protection policy.
Any business that is dealing with personal data will need to ensure it is applying the right degree of legal rigour and process compliance to its GDPR obligations, or risk not just legal consequences, but rather weighty reputational damage, which may affect both customer and talent retention and acquisition.
Here, together again with the benefit of Helen’s expertise, we’ll focus on what other contracts (besides the employment ones) that you may need to be reviewing, updating or perhaps bringing to a close or renegotiating as a result of the new changes.
Do you have a website?
If you have a website, you should have the following legal documents clearly available on it and most if not all of them should be reviewed during your GPDR-compliance cross-checks and may need to be refreshed:
a. how the site-owner is collecting user data
b. for what purposes it is using or sharing that data
c. what the lawful basis (or bases) are for processing personal data, and
d. details about how the user may turn off or block cookies (as well as any possible consequences of taking such action).
These make clear how site-visitors are permitted to interact with your site, and what you do not consent to them doing (e.g. copying your content).
3. Your privacy notice for the site
This covers essential explanations about:
a. your business
b. about how you safeguard your users’ privacy
c. for what purposes data is used on the site
d. who data may be shared with, and
e. what are your users’ rights under the relevant data protection legislation.
4. Your terms and conditions for the site
You’ll need these where you are selling or otherwise trading on that site.
Usually, as the bare minimum, these legal materials are accessible from the foot of every web-page on your site.
What needs to be reviewed and potentially changed?
Whether you need to make changes to your existing materials will depend on the current wording of the documents you have in place.
If you don’t have these documents in place, then you should get them in place in order to run your site lawfully and in a commercially robust way. The good news is that you can use Farillio’s templates to quickly create some that will help you to get GDPR-compliant on your website. Be sure to look out for the difference between sites aimed at other businesses and those aimed at consumers – because different trading terms and variations on the documentation may apply.
For those of your materials that do already exist, you will need to check these for compliance with GDPR. This could include checking that the new items which are required in privacy notices under GDPR (such as an explanation of users’ rights and details about the lawful basis for processing their personal data) are covered in your drafting.
If you provide services which include handling personal data, then you will need to assess the manner in which you are handling personal data (i.e. are you handling it as a ‘data controller’ or as a ‘data processor’?) and ensure that you have clauses in your terms and conditions to cover this. (We’ve included quick reminder about who is a ‘data controller’ vs a ‘data processor’ in the data processing services section further below.)
Do you have terms and conditions or other trading agreements in place?
Consent to personal data handling provisions will not typically be found in other contracts (i.e. trading agreements) so the position is not quite the same as it is for employment contracts.
However, commercial agreements may still need to be amended to be GDPR-compliant, for example, if you act as a data processor on behalf of your client (providing, e.g. IT or payroll services or providing accountancy services), then you will need to include GDPR compliant controller-processor clauses (see the processing services section below for more details on this).
How to amend these relevant commercial agreements
Here, the general contract law rules of variation will apply, so if change is needed, each contract needs to be checked for what it currently says about how any variation to it can be made.
Most contracts will contain what’s called a ‘variation clause’ that will prohibit any variation without one or both parties’ express written consent to the proposed revised term.
Since any legally required revisions to clauses that cover how data can and will be handled, by either or both parties, are likely to be in their mutual interests to agree and implement, getting the variation in place may not be a particularly controversial process.
However, it might not be at all practical to follow this approach where the party who drafted the original contract has entered into many different contracts, with many different parties, and needs expressly to agree in writing a variation with each.
In circumstances like these, rather than varying the actual terms of the contract (and risking removing, or omitting to revise, something key that then impacts the effectiveness or legality of the contract afterwards), some businesses have taken the approach of entering into separate data protection agreements, or addendums to existing contracts, which confirm the agreed basis on which one or more parties’ data will now be handled. Although a separate document still needs to be created, agreed and signed in each case, this can be a more straightforward and often swifter approach.
The availability of this option will however, depend to a large extent on:
what the existing contract says about variation;
what and how much data is involved (for example where data processing does not form a large part of the contract, then a simple set of clauses may be sufficient. But where a large part, or the main focus, of the contract includes personal data, then more tailored clauses may be required); and
the roles of the parties (for example, whether they are data controllers or data processors.
In reality, personal data is involved in nearly every business relationship. Other than terms and conditions, many trading agreements may include provisions about personal data and/or data protection that will need to be reviewed for GDPR compliance. Agreements such as franchise agreements, distribution agreements and agency agreements will all need to be reviewed.
You will also need to consider any agreements with others who handle personal data on your behalf (see below for more details).
Using e.g. MailChimp or other third-party providers to send your email marketing campaigns
You can use third-party providers, such as MailChimp, to manage your email marketing campaigns provided that, you conduct due diligence on them so that you are satisfied that they will comply with GDPR and so long as your contracts with them contain the obligatory minimum contractual clauses and protections within them.
(And you’ll still need to follow the new rules on direct consent, opt-ins and marketing activities, which are set out in our various GDPR guides. Take a look at our guide to data handling rules – and what the GDPR means for small businesses, for a reminder.)
These types of service providers count as ‘data processors’ under the GDPR. See the section below to see the guidance that applies to them.
Want to access this guide?
Already have a Farillio account? SIGN IN
Get unlimited access to 100s of legal resources by signing up to Farillio today.
- Manage your legal documents online
- Well written legal templates by our partners
- Guides to help you understand law
- Legal help available every step of the way