Outsourcing and data protection
Produced in partnership with Marina Paul
Outsourcing and data protection

The following Information Law practice note produced in partnership with Marina Paul provides comprehensive and up to date legal information covering:

  • Outsourcing and data protection
  • Key guidance
  • The GDPR regimes as applicable to outsourcing
  • The GDPR regimes
  • Contract or other legal act
  • Meaning of processing and personal data
  • Controllers and processors
  • General obligations on customers (as controllers) under data protection law
  • Specific obligations on customers (as controllers) under Article 28 of the GDPR regimes
  • Drafting and negotiation
  • More...

Outsourcing and data protection

This Practice Note primarily addresses the UK data protection laws.

Given the extensive data flows between the EEA and UK, equivalent EEA data protection laws will remain of particular interest to UK practitioners. In relation to the subject matter of this Practice Note, there is great similarity between:

  1. the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) (which was applicable under UK laws until the end of the Brexit implementation period at 11 pm UK time on 31 December 2020 and remains applicable in the EEA), and

  2. the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) (applicable under UK laws from the end of the Brexit implementation period and largely based on the EU GDPR)

Therefore, this Practice Note addresses equivalent requirements under both the UK GDPR and EU GDPR to assist UK practitioners who may need to consider the position under either. It refers to both as the ‘GDPR regimes’ for convenience where there is no need to distinguish them.

Note that:

  1. this Practice Note considers provisions under the EU GDPR applicable in EEA states at the supranational level only—refer to guidance from the relevant national data protection authorities and national laws regarding the approach that may be taken in any EEA jurisdiction

  2. this Practice Note is supplemented with guidance from the UK’s Information Commissioner—the views of other

Popular documents