Data protection and outsourcing under the GDPR
Produced in partnership with Marina Paul of Endgame Legal Consultancy Ltd
Data protection and outsourcing under the GDPR

The following Financial Services guidance note Produced in partnership with Marina Paul of Endgame Legal Consultancy Ltd provides comprehensive and up to date legal information covering:

  • Data protection and outsourcing under the GDPR
  • Key guidance
  • Data protection regime under the GDPR as applicable to outsourcing
  • Meaning of controller and processor
  • Controller-to-controller relationships
  • General obligations on customers (as controllers) under the GDPR
  • Specific obligations on customers (as controllers) under Article 28 of the GDPR
  • Related provisions the customer should consider including
  • Obligations on suppliers (as processors) under the GDPR
  • Sub-processing
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

This Practice Note on data protection and outsourcing provides guidance on:

  1. the data protection regime under the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) as applicable to outsourcing

  2. the general obligations on customers (as controllers) under the GDPR

  3. the specific obligations on customers (as controllers) under Article 28 of the GDPR

  4. related provisions the customer should consider including

  5. obligations on suppliers (as processors) under the GDPR

  6. sub-processing

  7. standard processing clauses, approved codes of conduct and certification schemes

  8. sanctions and enforcement

  9. steps the customer should take to comply with the GDPR

  10. steps the supplier should take where the GDPR applies

  11. matters likely to