Supply chains under data protection law—arrangements between controllers and processors
Supply chains under data protection law—arrangements between controllers and processors

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • Supply chains under data protection law—arrangements between controllers and processors
  • Key guidance
  • The GDPR regimes and arrangements between controllers and processors
  • The GDPR regimes
  • Contract or other legal act
  • Meaning of processing and personal data
  • Meaning of controller and processor
  • General obligations on controllers using processors
  • Specific obligations on controllers using processors under Article 28 of the GDPR regimes
  • Drafting and negotiation
  • More...

This Practice Note primarily addresses the UK data protection laws where a processor will process personal data on behalf of a controller in a commercial context.

On 31 January 2020, the UK ceased to be a member of the EU and EEA. Given the extensive data flows between the EEA and UK, equivalent EEA data protection laws will remain of particular interest to UK practitioners. In relation to the subject matter of this Practice Note, there is great similarity between:

  1. the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) (applicable under UK laws until the end of the Brexit implementation period at 11 pm UK time on 31 December 2020 and remaining applicable in the EEA thereafter), and

  2. the Retained General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) (applicable under UK laws from the end of the Brexit implementation period and largely based on the EU GDPR)

Therefore, this Practice Note addresses equivalent requirements under both the UK GDPR and EU GDPR to assist UK practitioners who may need to consider the position under either. It refers to both as the ‘GDPR’ regimes for convenience where there is no need to distinguish them.

Note that:

  1. this Practice Note considers equivalent provisions under the EU GDPR applicable in EEA states at the supranational level only—refer to guidance from the relevant national data protection authorities and

Popular documents