Are the contracts you have with the suppliers who handle your customers’ data GDPR compliant?

June 19, 2018

From a practical perspective, proactive management of suppliers is often a useful and effective way to ensure your suppliers deliver. However, it is important to ensure you have a written contract in place to outline the service you require, the date and time of delivery, fees and all other obligations of the supplier. Take a look here to find out exactly when you have a contract in place.

Your contract with the supplier is key and you will want to ensure it marries up with the obligations you owe to your own clients in terms of data protection. Take a look here for our contract review checklist.

Here are some of the key terms you will want to consider:

  • Scope of service
  • Term
  • Termination and consequences of termination
  • Fees
  • Liability and Indemnities
  • Data Protection

GDPR Products


The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and must be considered if you are processing personal data. You must consider in what capacity are you processing personal data – as a data controller or data processor?

Where the relationship between you and your supplier is one of data controller to data processor, GDPR requires that a written contract is in place governing the relationship. The contract must set out, the subject matter and duration of processing; the nature and purpose of processing; the type of personal data and categories of data subjects; and the obligations and rights of the controller.

GDPR also requires the contract to stipulate that a processor will:

  • Process personal data only in accordance with the written instruction of the data controller and inform the controller if it believes an instruction infringes GDPR;
  • Ensure its employees who process personal data are subject to confidentiality obligations
  • Take all measures to comply with the security requirements of GDPR;
  • Not engage another processor or sub-processor without the consent (general or specific) of the controller;
  • Ensure contractual obligations required by GDPR flow down to any such sub-processors;
  • Assist the controller by using appropriate technical and organisational measures to meet its obligations with regard to the rights of data subjects;
  • Assist the controller with its obligations in respect of data breaches, data protection impact assessments and consultation with the data protection authorities;
  • At the choice of the controller delete or return all personal data when the services are at an end;
  • Evidence compliance with GDPR and submit to audits carried out by the controller or a third party on its behalf.

You may wish to review your current supplier contracts to ensure GDPR compliance as well as ensuring these terms are covered in new arrangements. Now is the time for ACTION and remember LawBite is here to help.

If you would like to speak to us about this or any other legal matter you can make an enquiry or call our friendly LawBite team on 0207 148 1066.


Rachel Lawbrief

Journey further…

How LawBite works
LawBite GDPR Rescue Package

Leave a Reply

Your email address will not be published. Required fields are marked *

Ask a lawyer a company law question Or request a lawyer callback

Invalid Email
Please tick the box to show that you have read and agree to our Privacy Policy.
Thank you for submitting your enquiry. A member of our team will be in touch with you very shortly.

The LawBite Team