Data protection clauses in agency and distributorship agreements: what do parties need to consider?

Data protection clauses whilst commonplace in agency and distribution agreements are often out of date. This is because whilst the General Data Protection Regulation (GDPR) is now more than four years old, there have been, and continue to be, many changes in data protection law.

Nothing seems to stand still in data protection – not least the frequency at which the relevant regulator fines businesses – large and small – which infringe data protection law.

In particular, the UK – as part of transitioning to a post-Brexit world – has adopted its own version of the GDPR (the ‘UK GDPR’). For the time being, the UK GDPR remains practically the same as the original ‘EU GDPR’, though that could well change as the UK government plans to reform its existing framework.

In addition, the rules – and the necessary contract paperwork required – around international data transfers have changed in the last 18 months: businesses subject to the UK or EU GDPR making data transfers to parties based outside the UK/EEA are now required to update their agreements as well as conduct transfer risk assessments.

With the rules constantly evolving in this area, it is important to ensure that your business’ agreements reflect the requirements. Data protection clauses are commonplace in agency and distribution agreements but that does not mean that they are always appropriate or up to date. Does your agency or distributorship agreement contain the necessary provisions to comply with applicable data protection laws?

Establishing the facts

Before determining what appropriate data protection clauses to set out in the agreement, it is first important to clarify what the facts are on the ground namely:

• Identifying which parties are processing personal data (in particular, personal details in relation to customers)
• What degree of control and autonomy each party has in relation to that data
• How the data will flow between the parties.

With regards to an agency agreement, such fact-finding questions might be:

• Will the agent be sharing customer personal data with the principal? For what purpose?
• Will the principal share its customer personal data with the agent? For what purpose?
• What types of personal data are being shared?
• How will the data be shared? For example, does the principal provide for the agent an online portal on which to input customer details? If so, where are the servers that host the data uploaded onto the portal? If the agent is subject to regular reporting obligations, is there personal data contained within the reports provided to the principal?
• Where are the agent and principal based? Which version of the GDPR is each party subject to: the EU or UK GDPR? Or both?
• Will personal data be sent to either party for processing outside the UK or EEA?

With regards to a distribution agreement, by contrast, it may be the case that the sharing of personal data is minimal. For example, such sharing may be limited to the mere routine exchange of points of contact details between supplier and distributor and there may be no actual need for the distributor to share any other personal data with the supplier.

With reference to this it is worth remembering that the GDPR is not concerned with anonymised data (for example, aggregated or statistical data which cannot be traced back to an individual person). Nonetheless, the data sharing between two parties in an agreement will always be context-specific and, depending on the circumstances, there may to be a need to apply the above questions in the distributorship context as well.

What should the agreement state?

Having obtained the facts, it is then necessary to determine to what extent – as defined under the GDPR -each of the parties carries out its activities as a controller or processor. In the latter case where one party is processing personal data on behalf of the other party (the controller) – or perhaps even whether the parties may be acting as joint controllers.

If a controller-to-processor relationship arises between the parties, then the agreement will need mandatory data processing clauses which comply with Article 28 of the UK/EU GDPR.

If the relationship is controller-to-controller, whilst clauses are not compulsory, it is nonetheless prudent to set out the parties’ responsibilities in relation to any personal data being shared as well as ensure that the parties are, and remain, compliant with data protection requirements applicable to them.

If one of the parties is to receive from the other party personal data from a location outside the UK/EEA, this adds another layer of complexity. There may be a need for:

1. Additional UK/EU-approved standard contractual clauses (SCCs) appended to the agreement
2. A separate written transfer risk assessment to be carried out.

For those businesses subject to the EU GDPR, the EU have set a deadline of 27 December 2022 to move all contracts relying on the old EU SCCs over to the new EU SCCs which were published in June 2021.

Take home points

• First understand data flows between the parties. This could require obtaining all of the facts relating to the processing of personal data under the agreement.
• Determine whether the parties are sharing data under a controller-to-controller, controller-to-processor, or joint controller arrangement.
• Determine whether any international data transfers are to take place.
• Include the necessary clauses as required by the GDPR. In the case of international data transfers, a valid set of SCCs, together with a documented transfer risk assessment, may be required.