POLICY: APPOINTING SUPPLIERS
This Policy (“Policy”) sets out steps that should be taken where a third party (“Supplier”) is appointed to provide services in connection with, or to, the Business (as defined below) and which may involve the Supplier processing personal data. This Policy will also apply if an existing Supplier is re-contracted on new terms or re-engaged on existing terms.
INDIVIDUAL NOTARY I, Laura Delacroix-Humphreys, (“Notary”) commit to comply with this Policy in the course of my business as notary public (“Business”).]
The steps which must be followed are:
Step 1: Establish whether the Supplier is a Controller or a Processor
Step 2: Comply with data protection law requirements in the procurement process
Step 3: Check whether personal data will be transferred outside the UK
Step 4: Complete the self-assessment Checklist to ensure compliance with this Policy
This Policy does not apply if the Supplier’s services do not involve the processing of personal data (for example where it is solely a contract for the purchase of goods, such as hardware).
|STEP 1: IDENTIFY WHETHER the Supplier is a Controller or a Processor|
Whenever it is proposed to appoint a Supplier to which this Policy applies, it is important to first identify whether the Supplier is a “Controller” or a “Processor”.
- A Controller means a party that determines the purposes (that is, why the information is being processed) and means (that is, how the information is being processed) of processing. To identify this, one should ask: is the Supplier the controlling mind behind the proposed activity? Is the Supplier deciding what personal data will be collected and what it will be used for, or is it the Business? Often it is the person who “owns” the personal data. Broadly speaking, whoever “calls the shots” in relation to the personal data is likely to be a Controller. In the majority of cases the Supplier will likely be a Processor of the Business rather than a Controller. However, there may be situations where the Business appoints a Supplier who will be a Controller, as is shown in the examples below.
- A Processor means a party that processes the personal data on behalf of the Controller. To identify this, one should ask: is the Supplier carrying out the processing only because it has been instructed to do so by the Business? If so, the Supplier will usually be a Processor.
It is important to identify whether the Supplier is a Controller or Processor because:
- If a Supplier is a Controller it will be directly responsible for complying with UK and EU data protection laws (for example ensuring that the processing of the personal data is fair and lawful, and enabling individuals to exercise their rights under data protection laws).
- If a Supplier is a Processor, it will still have some direct obligations under UK and EU data protection laws. However, its primary obligations will be imposed under contract with the Controller, i.e. the Business. The Business will be legally responsible for all processing performed by its Processors, and so it is crucial that strict controls are placed on the Processor’s actions.
|EXAMPLES SUPPLIER AS A CONTROLLER A solicitor, accountant, notary or similar professional appointed to provide services to the Business.The Foreign Office or any other public authority will generally act under their official authority and will likely be a Controller.If the Business employs Personnel, it may engage a pensions provider for Personnel. SUPPLIER AS A PROCESSOR Where the Supplier is a data storage provider (e.g. NotarySafe service).An agent appointed to provide legalisation services (only if processing of personal data takes place, i.e. the documents are not provided in a sealed envelope and the Supplier can read them).A translation service provider.A confidential waste disposal service provider.An IT contractor with access to confidential information of the Business. If the Business employs Personnel, it may engage a payroll services provider to streamline the payroll process. SUPPLIER NOT ENGAGED IN “PROCESSING” As mentioned above, this Policy does not apply if the Supplier’s services do not involve the processing of personal data as set out in the examples below.Purchase of goods such as hardware, office supplies and other goods.Couriers are not considered processors as long as they do not access personal data, i.e. they are handed a sealed envelope which they must not open. They are a mere conduit between the sender and recipient.|
If the Supplier will be acting as a Controller:
As mentioned above, it is less likely that a Supplier will be acting as Controller and the majority of Suppliers will be Processors. However, if the Supplier is indeed a Controller:
- The contract with the Supplier should contain standard terms for Controllers set out in Appendix 2.
Please note that Controllers which are public authorities are less likely to accept a written agreement from the Business as they act under their official authority. In these cases, it may be reasonable for the Business to assume that the Controller will comply with its legal obligations even if no agreement is entered into. However, in some cases public authorities may still be considered Processors especially if they act outside their official authority and a written agreement (as per Steps 2 and 3) may be required. The Business should ensure that only such minimal possible personal data is shared with such public authorities as is required to carry out the relevant acts.
- Step 2 will not apply and Step 3, regarding data transfers, should be considered.
|STEP 2: Comply with data protection law in the procurement process.|
Because the Business will be responsible for the actions of its Processors, there are certain steps which must be taken to protect the Business when appointing a Supplier who is a Processor.
In addition, when contracting with a Supplier who is aProcessor, the Business is under a legal obligation to ensure certain mandatory provisions concerning personal data are included in the contract with the Processor. These provisions are reflected in the standard Data Processing Agreement.
The following table outlines the practical steps which should be taken during the procurement process to ensure that data protection legal obligations are met.
|Step||What does this mean in practice?|
|Understand the nature of the data processing||Identify the types and amounts of personal data which the Supplier will have access to. The Supplier should only have access to the minimum amount of personal data they need to provide the services. If the Supplier will have access to |
payment card data, the agreement will also need to address compliance with Payment Card Industry Data Security Standard (PCI DSS).
|Conduct due diligence on the Supplier||Choose a Supplier providing sufficient guarantees regarding information security and handling of personal data. It should be ensured the Supplier is able to provide appropriate security protection for the data, taking into account the nature of the personal data and any risks involved (for example, the consequences of a security breach).|
|Take additional precautions with special categories of personal data or card payment data.||Pay particular attention to security specifications for the contract if it involves processing special categories of personal data.|
|Ensure the written contract contains or incorporates the data protection clauses||The contract with the Supplier must include specific data protection language, as this is a legal requirement under UK and EU data protection laws. If the contract is on the Supplier’s standard terms, it will still need to be ensured that the necessary data protection language is included in the contract.|
|Note any data transfers outside of the UK or EEA||If any personal data will be transferred outside the UK or EEA(including where the personal data can be accessed remotely from outside the UK or EEA), steps must be taken to ensure that the transfer is lawful. See Step 3 below.|
|Anonymise, pseudonymise or aggregate personal data if possible||These safeguards should be considered to help eliminate data protection risks whenever possible.|
|Limit access to the personal data||The Supplier should have appropriate access controls so that only those involved in the delivery of the services can access the personal data, and access rights are limited to that necessary for each individual’s role.|
|Ensure the Supplier can assist with individual rights requests||The data protection language in the contract must include an obligation on the Supplier to assist the Business to enable individuals to exercise their individual rights. These include rights to access, rectify and erase their personal data, and object to it being used for a particular purpose. The Supplier must ensure that it can respect these rights (e.g. by rectifying or erasing personal data), when requested to by the Business. The Supplier should also ensure that if it receives any requests in relation to personal data, these are promptly passed on to the Business.|
|Check the Supplier’s subcontractors||Essentially, it should be ensured that all data processing terms will be ‘flowed down’ to any subcontractor.|
|Provide notice of the data sharing unless this has been done already||Ensure that the arrangement with the Supplier is covered by the privacy notice given to Personnel or clients, as applicable. If the arrangement is not adequately covered by the existing notice, consider how to inform them prior to providing their personal data to the Supplier.|
|Business monitors the Supplier’s compliance throughout the appointment||Ensure there are reasonable steps in place which allow a Business to monitor the Supplier’s performance with its security and processing obligations. For example, the Business may check the Supplier’s website and look out for any relevant press releases from time to time and regularly (depending on level of engagement and associated risks) ask the Processor (e.g. pursuant to the Data Processing Agreement) for information such as a confirmation of the information security measures that the Processor has in place from time to time.|
|Establish what will happen to the personal data at the end of the relationship||If there is no longer a need to keep the personal data, because of the termination of the service relationship or because the law no longer requires it, it should be returned to the Business. Make sure the contract terms provide for the return of the personal data to the Business or purging upon request of the Business.|
|STEP 3: Check if personal data WILL be transferred outside the UK or eea|
This Step 3 should be completed whether the Supplier will be acting as a Controller or a Processor.
In considering whether to appoint a Supplier, the following should be established:
- whether the Supplier is, itself, located outside the UK or EEA; or
- whether the Supplier may subsequently transfer personal data outside the UK or EEA (for example to the Supplier’s subsidiaries or subcontractors).
A ‘transfer’ of personal data includes the following:
- allowing personal data stored in the UK or EEA to be accessed remotely from a country outside the UK or EEA (e.g. the US);
- relocating a database outside the UK or EEA; or
- sending a data set (for example an Excel file) as an attachment to an email to a recipient outside the UK or EEA.
Subject to the exceptions set out below, personal data should not be transferred from a UK or an EEA country to a non-UK/EEA country unless there are means of providing appropriate safeguards for that personal data.
A small number of countries (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay) have been legally recognised to provide an adequate level of protection and personal data can therefore be transferred from the EEA to those countries. The list of “adequate” countries can be found on the Commission’s website, here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
For countries outside the UK/EEA and not listed above an alternative solution has to be adopted before personal data can be transferred. The most relevant to the Business is likely to be requiring the non-UK/EEA recipient to sign up to an approved set of international data transfer clauses, known as the ‘EU Model Clauses’. Which version of the Clauses should be used depends on whether the Supplier is acting as a Controller or a Processor. The EU Model Clauses should not be amended by the parties. The Appendices will need to be completed prior to execution.
Summary of the contractual arrangements which must be in place:
|Country in which personal data will be hosted in, or will be accessible from||How to regulate processing by the Supplier||How to regulate transfers outside the UK/EEA|
|‘Adequate’ countries (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay)||Use the standard Data Processing Agreement||N/A as the countries offer ‘adequate protection’|
|Non-adequate countries (e.g. Australia, India, China, or US||Use the standard Data Processing Agreement||Execute the applicable EU Model Clauses|
|Exceptions In some circumstances transfers may be made without ensuring appropriate safeguards for the transferred personal data, as explained above. These exceptions will mostly concern transfers instructed by the client rather than transfers to a Supplier of the Business.|
|Explicit consent from data subject.||This will only apply where all personal data in the document to be transferred outside the UK/EEA is the personal data of the client and no third party (unless such third party also consented). Consent has to be freely given, unambiguous, informed and confirmed by affirmative action or statement of the data subject. A record of the consent must be retained together with the assessment of possible risks of the transfer and the appropriate safeguards put in place in relation to the transfer.|
|Transfer is necessary for the performance of contract||This will apply only to contracts between the Business and the data subject or another party on the data subject’s request. This may apply, for example, where the client engages the Business to procure notarisation by foreign notaries. In such cases, the Business should obtain a warranty from the client to the effect that the client has obtained explicit and demonstrable consent from each other data subject whose personal data is included in the document which is subject to the transfer. This exception will also likely apply to transfers to foreign public authorities.|
|Transfer is necessary for important reasons of public interest recognised by law.||This will apply in very limited circumstances, such as in the case of the UK’s substantial public interest in detecting and preventing crime.|
|Information in public registers.||You can transfer overseas part of the personal data on a public register, as long as the person you transfer to complies with any restrictions on access to or use of the information in the register.|
|Transfer is necessary in connection with legal proceedings, legal advice or defending legal rights.||This may apply, for example, where notarised documents are forwarded to a third party law firm in connection with legal proceedings or legal advice.|
These are the main exceptions that are likely to apply. However, in some circumstances further exceptions may apply.
|STEP 4: SELF-ASSESSMENT CHECKLIST FOR COMPLIANCE WITH THIS PROCEDURE|
To ensure compliance with the requirements of this Policy,
the self-assessment checklist in Appendix 1 should be completed.Last
updated September 2021