Data protection negotiation guide—controller: processor—information provision, audits and inspections
Produced in partnership with Miriam Everett of Herbert Smith Freehills and Data Protection Intelligence Group

The following Information Law practice note produced in partnership with Miriam Everett of Herbert Smith Freehills and Data Protection Intelligence Group provides comprehensive and up to date legal information covering:

  • Data protection negotiation guide—controller: processor—information provision, audits and inspections
  • Summary of mandatory contractual terms
  • Summary of commonly negotiated points
  • Key legislation and ICO, EDPB and EDPS guidance
  • Recital 82 of the UK GDPR
  • Article 5(2) of the UK GDPR (Accountability principle)
  • Article 24(1) of the UK GDPR
  • Article 28(3)(h) of the UK GDPR
  • Article 28(4) of the UK GDPR
  • Article 30(2) of the UK GDPR
  • More...

Data protection negotiation guide—controller: processor—information provision, audits and inspections

STOP PRESS: On 13 July 2021 the European Data Protection Board published its finalised and updated Guidelines 07/2020 following public consultation. This Practice Note will be updated shortly to reflect that development.

This Practice Note forms part of the Data Protection Negotiation Guide (the Guide) and addresses the negotiation of terms relating to information provision, audits and inspections in agreements between controllers and processors subject to the UK General Data Protection Regulation, Retained Regulation (EU) 2016/679 (the UK GDPR).

For an introduction to the Guide and related content, see Practice Note: Data protection negotiation guide—controller: processor—introduction.

This Practice Note utilises a number of common abbreviations. They are separately defined within the above introduction.

As explained in Practice Note: Data protection negotiation guide—controller: processor—introduction the parties have commercial flexibility to allocate the costs and expenses of performing these obligations between themselves.

Guidance from the EDPB on equivalent provisions of the EU GDPR is likely to remain highly influential in interpreting the UK GDPR and therefore this Practice Note refers to relevant EDPB guidance. For similar reasons it also refers to certain guidance from an influential member of the EDPB, the European Data Protection Supervisor (EDPS).

Summary of mandatory contractual terms

The contract must stipulate that the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid

Popular documents