Data protection and outsourcing under the GDPR
Produced in partnership with Marina Paul of Endgame Legal Consultancy Ltd
Data protection and outsourcing under the GDPR

The following Financial Services guidance note Produced in partnership with Marina Paul of Endgame Legal Consultancy Ltd provides comprehensive and up to date legal information covering:

  • Data protection and outsourcing under the GDPR
  • Key guidance
  • Data protection regime under the GDPR as applicable to outsourcing
  • Meaning of controller and processor
  • Controller-to-controller relationships
  • General obligations on customers (as controllers) under the GDPR
  • Specific obligations on customers (as controllers) under Article 28 of the GDPR
  • Related provisions the customer should consider including
  • Obligations on suppliers (as processors) under the GDPR
  • Sub-processing
  • more

This Practice Note on data protection and outsourcing provides guidance on:

  1. the data protection regime under the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) as applicable to outsourcing

  2. the general obligations on customers (as controllers) under the GDPR

  3. the specific obligations on customers (as controllers) under Article 28 of the GDPR

  4. related provisions the customer should consider including

  5. obligations on suppliers (as processors) under the GDPR

  6. sub-processing

  7. standard processing clauses, approved codes of conduct and certification schemes

  8. sanctions and enforcement

  9. steps the customer should take to comply with the GDPR

  10. steps the supplier should take where the GDPR applies

  11. matters likely to be negotiated

  12. cloud services

  13. other information laws

  14. overseas data protection laws, including the national laws of EU and EEA states

This Practice Note covers the law under the GDPR regime (which became directly applicable and fully enforceable in all EU Member States on 25 May 2018) as it applies in the UK. Outsourcing agreements involving the sharing or processing of personal data which continue or commence after 24 May 2018 need to comply with the requirements of the GDPR.

As further explained below, in the context of outsourced services, the customer will generally be a controller and the supplier a processor. This Practice Note is therefore drafted to address that scenario. Unless stated otherwise, references to the supplier or