Written Arrangements
- Context: with regard to common processing operations for purposes as set out in a direct contract between controllers, or indirectly through them with other controllers that provide services, including a memorandum of understanding or similar agreement, the parties in their legitimate interests acknowledge the joint processing of personal data, including determining the purpose and means of processing. In order to preserve the integrity of the personal data and manner processed, each controller (“parties” or “party”) acknowledges their part in ensuring the system, processes and organisational set-up are fit-for-purpose, and accepts their respective roles and responsibilities, as laid out here, to minimise the likelihood of any unauthorised or unlawful processing of the personal data,
- These written arrangements are referred to in information sharing agreements between joint controllers and reflect the duties and tasks of parties involved. They are a technical and organisational measure to address the varying likelihood and severity of risks to the rights, freedoms, and interests of affected individuals with respect to the joint processing of their personal data for the stated purposes. They cover obligations to address data protection principles, legal basis, security measures, data breach notification obligation, data protection impact assessments, the use of processors, international transfers of personal data, and contacts for individuals and the regulator. The roles and responsibilities of the involved parties are the service and system management, support, and provision of collecting, processing, sharing, storing, and deleting personal data.
- Each party shall be accountable for their respective data protection obligations.
- Each party shall define their respective data protection obligations precisely.
- At the time of the determination of the means and at the time of the joint processing itself, each party shall be responsible for demonstrating compliance with data protection by design by implementing appropriate technical and organisational measures designed to support the data protection principles effectively and maintain an appropriate level of security proportionate to the risks presented by the processing.
- The pre- and post-processing shall be separate from the joint processing and subject to other arrangements and legal bases where applicable.
- Each party shall notify other parties of their designated contact, who shall through agreed channels manage any communications relating to data protection matters, such as rights requests by individuals, personal data breaches or other incidents, and enquiries from supervisory or competent authorities.
- Where individuals bypass their designated contact, and contact another party, they shall be referred back to the designated contact without undue delay, and in any case within 24 hours.
- In relation to the joint processing and for the state purposes, each party shall observe the general principles of data protection.
- Regarding the principle of lawfulness, fairness and transparency, each party shall:
- have in place adequate policies and training outlining the principles to be followed by its employees and workers to ensure personal data is processed fairly, lawfully, transparently and in a manner consistent with its legitimate business interests.
- provide in its privacy notice the essence of these arrangements including at least that:
- personal data is jointly processed with other parties in our legitimate interests for the stated purposes including profiling;
- individuals may exercise their right to request further details at any time; and
- contact details to correspond with regarding data protection matters.
- Regarding the principle of purpose limitation, each party shall:
- process personal data for the stated purposes, including profiling;
- respect the limitations of processing such personal data for further processing activities and purpose(s) after the joint processing, including conducting a compatibility test for any new purpose(s) and
- where not compatible with current purposes, undertake not to process personal data for that new purpose without authority to do so;
- where compatible, further consider additional technical and organisational measures as required, and inform the other parties of the intention to do so.
- respect the limitations of any prior purpose(s) and associated processing before the joint processing.
- Regarding the principle of data minimisation, each party shall only process personal data that is adequate, relevant and limited to what is necessary for the stated purposes or as obligated to do so by law.
- Regarding the principle of accuracy, each party shall:
- ensure that processing remains accurate, and, where necessary, kept up to date; and
- take every reasonable step to ensure that any inaccurate personal data, having regard to the stated purposes, are erased or rectified without delay.
- Regarding the principle of storage limitation, each party shall:
- keep such personal data in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed.
- specify in its policy documentation procedures for the tracking and deletion of personal data according to their retention schedules.
- retain personal data for the duration of the business relationship between the parties or until instructed to delete personal data under the terms of a contract, except where lawfully required to retain the personal data for longer.
- Regarding the principle of integrity and confidentiality, each party shall:
- process in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
- have in place adequate documentation including policies and employee or worker contracts, clearly designating any personal data as confidential to allow its legitimate, authorised processing of personal data.
- in relation to introducing new parties to the common processing activities, a party wishing to introduce a new party to the processing in any capacity shall do so based on the appropriate authority.
- in relation to transferring personal data to third countries or international organisations, any transfer shall be subject to a transfer test and where applicable appropriate technical, contractual and organisation measures shall be applied, such as encryption, at least to meet to the four ‘essential guarantees’.
- Regarding the principle of accountability, each party shall:
- manage risk adequately including necessity, proportionality and legitimacy tests, data protection impact assessments, legitimate interest assessments, and transfers tests, as required.
- make any risk assessment available to the other parties upon reasonable request.
- maintain a record of processing activities including in particular a list of recipients of the personal data, which must be provided to the other parties upon reasonable request as required without undue delay.
- log all individuals rights request as per data protection obligations.
- Each party acknowledge that personal data is shared and processed in relation to the stated purposes including profiling based on:
- legitimate interests for general processing, whilst
- for special categories of personal data, the processing is necessary for
- the purposes of carrying out the obligations and exercising specific rights of the party or of the individual in the field of employment and social security and social protection law, or
- if applicable, reasons of substantial public interest as laid down by legislation.
- Each party shall state the legal bases it relies upon for any additional specified, explicit and legitimate purposes that it processes personal data for, which shall be proportionate to the legitimate aim pursued, and, in particular, refer to:
- the types of data which are subject to the processing;
- the individuals concerned;
- the entities to, and the purposes for which, the personal data may be disclosed;
- purpose limitation;
- storage periods; and
- processing activities and processing procedures, including measures to ensure lawful and fair processing.
- Each party shall be responsible for undertaking its own necessity, proportionality and legitimacy tests to justify further processing, taking upmost account that such purposes are not incompatible with the stated purposes by undertaking a compatibility test taking into account, inter alia:
- any link between the stated purpose and the intended further purposes;
- the context in which the personal data have been collected, in particular regarding the relationship between individuals and the respective party as well as other parties that may be involved with the processing activities;
- the nature of the personal data, in particular whether special categories of personal data are processed, or whether personal data related to criminal convictions and offences are processed;
- the possible consequences of the intended further processing for individuals;
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
- The legal basis for all processing, including general processing as well as processing of special categories of personal data, shall be documented appropriately and made available upon reasonable request to other parties involved with the joint processing.
- Each party shall undertake its own data protection impact assessment (“DPIA”) with regards to the joint processing to set out which party is responsible for the various measures designed to manage or mitigate any identified risks and to protect the rights, freedoms, and interests of individuals, in particular regarding automated decision-making, special categories of personal data, or where the individual is a child.
- Each party shall provide practical assistance upon reasonable request to another party undertaking its DPIA.
- Each party shall consider completing a DPIA for any further planned processing activities that is large scale; involves profiling or monitoring; decides on access to services or opportunities; or involves sensitive data or vulnerable individuals.
- Unless the party has already conducted a substantially similar DPIA, each party shall undertake DPIAs for any further planned processing activities and associated purpose(s) which in particular are likely to result in a high risk or as identified by the regulator.
- When undertaking a DPIA, the party shall take utmost account of applicable statutory data protection and other relevant codes including the age-appropriate design code (also known as the Children’s code) or Data Sharing code.
- When undertaking a DPIA, the party shall take utmost account of risks to the rights and freedoms of individuals caused by the nature, scope, context and intended purpose(s).
- When undertaking a DPIA, the party shall take utmost account of any:
- concerns affected individuals may have.
- impact that stakeholders may have including on other parties involved with the processing activities such as processors, controllers, and joint controllers.
- any concerns the data protection officer may have, if appointed.
- For personal data that is processed for the stated purposes or any further processing activities and associated purpose(s), each party shall have in place appropriate technical and organisational measures so that personal data shall be processed in a manner that ensures a level of security appropriate to the personal data being processed, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Each party shall be able to demonstrate the ability to:
- manage their respective security risk
- taking appropriate steps to identify, assess and understand security risks to personal data and the systems that process such data;
- implement appropriate organisational structures, policies, and processes to systematically manage security risks to personal data;
- manage their respective security risk
- in particular risks relating to processing activities that may arise as a result of engaging other parties such as controllers, joint controllers, and / or processors, including ensuring that they employ appropriate security measures, such as, in the case of processors, requiring sufficient guarantees about their technical and organisational measures.
- protect personal data against cyber-attack with proportionate security measures which cover the personal data processed as well as the systems that process such data, these measures to include compliance with any Information Security policies:
- the security of data by implementing technical controls (such as appropriate encryption) to prevent unauthorised or unlawful processing of personal data, whether through unauthorised access to user devices or storage media, backups, interception of data in transit or at rest or accessing data that might remain in memory when technology is sent for repair or disposal.
- training staff by giving appropriate support to help them manage personal data securely, including the technology they use;
- monitoring authorised user access to that data, including anomalous user activity, recording user access to personal data.
- having processes in place, where unexpected events or indications of a personal data breach are detected, to act upon those events as necessary in an appropriate timeframe.
- minimise the impact of a personal data breach, restore systems and services, including the availability and access to personal data in a timely manner in the event of a physical or technical incident, manage incidents appropriately, and learn lessons for the future, by:
- effective response and recovery planning;
- taking steps, when a personal data breach occurs, to understand the root cause, take appropriate action, including, documenting lessons learned, and, where required, reporting the breach to the ICO, the National Cyber Security Centre, other relevant bodies, and affected individuals.
- For personal data that is processed for the stated purposes or any further processing activities and associated purpose(s), when identifying a personal data breach referred to in the sub-paragraph of this clause, each party shall without undue delay, and in any case within 24 hours of becoming aware of the personal data breach, inform other parties about the nature, scope and context of the personal data breach where required, and
- agree which party is the source of the personal data breach, and
- that party shall take the lead in managing the personal data breach including investigating it, undertaking appropriate risk assessments, and managing any remediation, including providing any required notifications.
- A personal data breach is as defined by the UK GDPR, including that in particular ‘unauthorised or unlawful processing may include disclosure of personal data to recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the UK GDPR – the consequence of such a breach being that the parties will be unable to ensure compliance with the principles relating to the processing of personal data.’
- Where a party is required to inform the other party of a personal data breach, such notification should include the likely consequences of the breach, as well as the measures taken or proposed to be taken by the party if applicable to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects, such consequences including:
- the inability to comply with data protection obligations; and
- the realistic identification of the potential range of significant adverse effects on individuals, which can result in physical, material, or non-material damage, such as loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy, as well as any other significant economic or social disadvantage to those individuals, in particular where such adverse effects on individuals may wholly or partially, directly or indirectly, lead to a further event or incident because of or as well as, for example, a further breach of legal obligations which the parties are beholden to – e.g. Health and Safety at Work Act 1974, etc.
- Each party shall ensure for their respective part that a description of the nature, scope and context of the personal data breach are recorded and logged, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records.
- Each party shall assist the other party in notifying the personal data breach to the ICO where required, including providing the information in 7.2 and 7.3 upon reasonable request. The parties shall define all the elements to be provided by the party identifying a personal data breach when assisting each other in the notification of a personal data breach to the ICO.
- For personal data that is processed for the stated purposes or any further processing activities and associated purpose(s), each party shall ensure, in order to satisfy the accountability principle and demonstrate due diligence, by way of a binding contract or other legal act, that any processors it relies upon:
- only process personal data in line with the party’s written instructions within the terms (unless it is required to do otherwise by law), which set out the extent of the processing that the processor is contracted, including:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of affected individuals; and
- the party’s obligations and rights.
- provide sufficient guarantees, in particular in terms of its expert knowledge, resources and reliability, that they will implement appropriate technical and organisational measures to ensure the security of personal data, such as using encryption and pseudonymisation.
- ensure their processing meets data protection obligations, including:
- protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access, through:
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore access to personal data in the event of an incident; and
- protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access, through:
- processes for regularly testing and assessing the effectiveness of the measures.
- demonstrating they are competent to process the personal data in line with those data protection obligations, such as maintaining records, appointing a data protection officer, and allowing the party to conduct timely audits, inspections or assessments, to demonstrate the processor’s data protection obligations have been met, taking into account the nature of the processing and the risks to the data subjects.
- obtaining a commitment of confidentiality from anyone it allows to process the personal data, unless that person is already under such a duty by statute, covering their employees as well as any temporary workers and agency workers who have access to the personal data.
- shall not engage another processor (i.e. a sub-processor)
- without the party’s prior specific or general written authorisation
- where such authorisation is given, the processor shall demonstrate it has in place a contract with the sub-processor with terms that offer an equivalent level of protection for the personal data as those in the contract between the processor and the party.
- inform the party without undue delay if:
- any of party’s instructions would lead to a breach of data protection obligations; or
- they become aware of a personal data breach, taking utmost care to notify, the party within 24 hours, and assist the party in complying with its obligations regarding personal data breaches.
- only transfer outside the UK when authorised to do so and ensure that such transfers comply with the transfer provisions as laid down by data protection obligations
- assist the party where required in meeting its obligations to keep personal data secure, notify, where required, the ICO and affected individuals, and carry out DPIAs.
- cooperate with supervisory authorities (such as the ICO) to help them perform their duties as required.
- take appropriate technical and organisational measures to help the party respond to requests from individuals to exercise their rights.
- at the end of the contract, in a secure manner, and, at the party’s choice, delete or return to the party all the personal data it has been processing for it unless UK law requires it to be stored.
- In relation to a party exporting personal data to a third country or international organisation {recipient), and including onward transfers by that recipient, in relation to the stated purposes or any further processing activities and associated purpose(s), where the recipient is not covered by an adequacy decision, the party shall check that enforceable data subject rights and effective legal remedies for data subjects are available, in addition to documenting (and making available to the other party upon reasonable request) one of the required appropriate safeguards or exceptions as data protection obligations, where:
- any routine restricted international personal data transfer that relies on an international data transfer agreement is subject to an international transfer risk assessment (TRA) prior to the transfer.
- any more complex restricted international personal data transfer (such as where the recipient is based in more than one country) is, in addition to completing a TRA, subject to a DPIA, and the implementation of any necessary further contractual, technical and organisational measures to sufficiently mitigate risks, including relying on another appropriate safeguard or exception or not proceeding where there is an enhanced risk.
- any unrestricted international personal data transfer Is subject to contractual clauses that commit the recipient to their data protection obligations to facilitate the exercising of data subject rights as well as the ability of data subjects to seek administrative and judicial redress and to claim compensation in the UK and the destination country, including where the recipient is a:
- controller, their responsibilities, DPIAs, security measures, and transfers or disclosures not authorised by UK law.
- processor (or sub-processor), their processor contract, security measures, and transfers or disclosures not authorised by UK law.
- Each party shall provide any individual wishing to exercise their rights directly with the other party the details of other party’s designated single point of contact.
- Each party shall handle any rights requests without prejudice and act to respond or otherwise provide for these requests without undue delay, and in any case within 1 month, or as required by data protection obligations.
- Each party shall validate any rights request against their record of processing activities.
- Each party shall fulfil any rights requests in a secure manner, including, security of communications and transmission of personal data.
- In relation to right of access, each party shall
- respond as to whether or not personal data is being processed; and
- provide the individual with information as laid down by data protection legislation including with regards to the purpose(s) and legal basis for the processing; and
- provide a copy of the personal data being processed.
- In relation to right to data portability, where relevant, each party shall
- refer the individual for any data portability requests received directly from individuals concerning personal data entered by the other party, who shall resolve any referred or direct data portability requests with the individual.
- In relation to right to rectification, each party shall
- rectify any inaccurate personal data upon request by individual; and
- refer the individual to the other party for any data rectification requests concerning personal data entered by the other party, and the other party shall resolve any referred or direct right to data rectification requests.
- In relation to right to erasure, each party shall
- determine if any of the applicable grounds for erasure as laid out by the data protection legislation apply;
- if grounds do not apply inform individual that the request may not be fulfilled.
- if grounds apply immediately erase any personal data as per data protection obligation; and
- inform any recipient of the valid erasure request; and
- inform the individual of these recipients if requested by the individual.
- In relation to right to restriction of processing,
- if the relevant party no longer needs the personal data for the purposes of the processing, but they are required by the individual for the establishment, exercise or defence of legal claims restrict processing immediately, then the party shall inform the other party without undue delay, and in any case within 24 hours.
- if the individual requests restriction pending the verification of the legitimate grounds of either party overriding those of the individual in connection to a right to object request, then the party shall
- restrict processing immediately, and
- inform the other party without undue delay, and in any case within 24 hours.
- In relation to right to object, if the individual objects to the legitimate interest of either party in processing or sharing their personal data the respective party shall demonstrate compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims, and, if unable to do so, cease processing immediately and notify the other party of valid objection request without undue delay, and in any case within 24 hours.