Data protection clauses whilst commonplace in agency and distribution agreements are often out of date. This is because whilst the General Data Protection Regulation (GDPR) is now more than four years old, there have been, and continue to be, many changes in data protection law.
Nothing seems to stand still in data protection – not least the frequency at which the relevant regulator fines businesses – large and small – which infringe data protection law.
In particular, the UK – as part of transitioning to a post-Brexit world – has adopted its own version of the GDPR (the ‘UK GDPR’). For the time being, the UK GDPR remains practically the same as the original ‘EU GDPR’, though that could well change as the UK government plans to reform its existing framework.
In addition, the rules – and the necessary contract paperwork required – around international data transfers have changed in the last 18 months: businesses subject to the UK or EU GDPR making data transfers to parties based outside the UK/EEA are now required to update their agreements as well as conduct transfer risk assessments.
With the rules constantly evolving in this area, it is important to ensure that your business’ agreements reflect the requirements. Data protection clauses are commonplace in agency and distribution agreements but that does not mean that they are always appropriate or up to date. Does your agency or distributorship agreement contain the necessary provisions to comply with applicable data protection laws?
Before determining what appropriate data protection clauses to set out in the agreement, it is first important to clarify what the facts are on the ground namely:
With regards to an agency agreement, such fact-finding questions might be:
With regards to a distribution agreement, by contrast, it may be the case that the sharing of personal data is minimal. For example, such sharing may be limited to the mere routine exchange of points of contact details between supplier and distributor and there may be no actual need for the distributor to share any other personal data with the supplier.
With reference to this it is worth remembering that the GDPR is not concerned with anonymised data (for example, aggregated or statistical data which cannot be traced back to an individual person). Nonetheless, the data sharing between two parties in an agreement will always be context-specific and, depending on the circumstances, there may to be a need to apply the above questions in the distributorship context as well.
Having obtained the facts, it is then necessary to determine to what extent – as defined under the GDPR -each of the parties carries out its activities as a controller or processor. In the latter case where one party is processing personal data on behalf of the other party (the controller) – or perhaps even whether the parties may be acting as joint controllers.
If a controller-to-processor relationship arises between the parties, then the agreement will need mandatory data processing clauses which comply with Article 28 of the UK/EU GDPR.
If the relationship is controller-to-controller, whilst clauses are not compulsory, it is nonetheless prudent to set out the parties’ responsibilities in relation to any personal data being shared as well as ensure that the parties are, and remain, compliant with data protection requirements applicable to them.
If one of the parties is to receive from the other party personal data from a location outside the UK/EEA, this adds another layer of complexity. There may be a need for:
For those businesses subject to the EU GDPR, the EU have set a deadline of 27 December 2022 to move all contracts relying on the old EU SCCs over to the new EU SCCs which were published in June 2021.