Data Security & Privacy

Contract Type:
Generic Contract

1. Both parties shall comply with all applicable data protection and privacy laws in relation to any personal data processed under this Agreement, including the Data Protection Act 2018 and the UK GDPR. 2. Each party shall ensure that it has all necessary notices and consents in place to enable lawful transfer of the personal data to the other party for the duration and purposes of this Agreement. 3. Each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 4. Where one party transfers personal data to the other party, the transferring party shall be the data controller and the receiving party shall be the data processor. The data processor shall only process the personal data on the data controller's documented instructions. 5. Each party shall assist the other in complying with all applicable requirements of the data protection laws. 6. The provisions of this clause shall survive termination of this Agreement.


Here is a plain English explanation of the Data Security & Privacy clause:

This clause ensures both parties handle personal data properly and securely when performing the contract.

The key requirements are:

- Comply with UK data protection laws like the Data Protection Act and GDPR.

- Have appropriate consents and notices to lawfully transfer any personal data needed for the contract.

- Take technical and organizational measures to safeguard the data and prevent unauthorized access or loss.

- The party transferring data is the data controller. The receiving party is the data processor and can only process the data as instructed.

- Assist each other in meeting data protection obligations.

- These data protection duties continue even after the contract ends.

In summary, this clause obligates both parties to handle personal data in a lawful and secure manner according to UK data protection regulations.

It allocates data controller and processor roles for transfers. The duties remain in effect post-termination.

History of the clause (for the geeks)

Data privacy clauses in contracts emerged in response to evolving personal data protection regulations.

Key developments include:

Early computer processing of customer and employee information raised concerns about privacy rights, leading to passage of the first UK Data Protection Act in 1984.

Organizations recognized the need to mandate internal handling procedures and third-party data security through contractual provisions to meet legal duties.

The growth of digital technology and internet commerce increased collection of consumer data and risks of improper use or unauthorized access. Privacy clauses became crucial in vendor contracts.

The EU Data Protection Directive of 1995 led to further UK regulations on lawful data processing and confidentiality. Businesses embedded compliance in commercial agreements.

Privacy clauses detailed specific security safeguards, access controls, data transfer mechanisms, breach notification processes and liability apportionment.

Emerging big data analytics and transnational digital services heightened focus on consent requirements and cross-border data flows. Contracts played a key role.

The EU General Data Protection Regulation of 2016 imposed tighter constraints. Privacy clauses evolved to address new rights like data erasure and portability.

Modern data privacy contract clauses reflect accumulated experience governing information risks as regulations expanded to match technological capabilities and realities.

In summary, privacy clauses arose to facilitate commerce while adhering to evolving personal data protection laws since the 1980s as digital technology reshaped the use of consumer information.