Consultancy Agreement Data Protection Clause

The person concerned is the identified or identifiable living person with personal data (section 3(5), DPA 2018). As with the 1998 CCA, an advisor (or the person with whom the advice is conducted through a service company) will be a „concerned person“ and the client will be a „data manager“ within the meaning of the 2018 RGPD and CCA. As a result, clients must process their advisors` personal data in accordance with the RGPD and the 2018 DPA. Assuming that an advisor is a data processor that processes data on behalf of the client, who is responsible for processing, the RGPD: Historically, consulting agreements may include clauses by which the advisor accepts the client to retain and process his personal data. However, according to the RGPD, this type of general consent is no longer as useful as it can be revoked at any time. Limits the consultant`s ability to engage a subprocessor or subprocessor by asking the advisor to obtain written permission from the client. If the client gives permission, the advisor must enter into a contract with the replacement or subcontractor processor that provides the same protection-oriented personal data as in the contract between the client and the advisor. One of the main developments of the RGPD, which will affect consultants who are data processors, is to make them directly responsible for damages, fines and penalties for breaches of their obligations. Consultants and clients should therefore check to see if there is adequate insurance to cover these contingencies.

The advisor is not only a concerned person, he may also be a „processor“ (or even a „controller“) depending on what he does for the client. Prior to the RGPD, consultants may have been controllers or transformers, so these concepts are not new. However, the RGPD significantly expands the obligations imposed on data processors and gives subcontractors direct responsibility and obligations to authorities (such as ICO) and individuals. The advisor should inform the client if the advisor is notified immediately. Some of these commitments will have a significant financial impact on a single advisor, such as the obligation. B to take appropriate technical and organizational measures to ensure personal data, and the only way to manage this data may be to pass on costs to the customer. Restrictions on the appointment of subcontractors will also affect the ability to appoint a substitute. Given the new obligations and responsibilities, it is important that consultants and clients take these considerations before entering into (or pursuing) a consulting contract.

If necessary, the consultation procedures should be changed. The „processing“ of personal data refers to an operation (or series of transactions) carried out with personal data. This includes collecting, recording, organizing, structuring or storing this data (but not limited to) which is a broad definition. An example of a consultant who handles personal data could be an HR consultant who advises clients on daily HR issues, such as disciplinary issues and complaints, as they have access to the details of the client`s staff. On the other hand, a human resources consultant who advises clients as part of the PERSONAL strategy cannot process personal data. The RGPD introduces more rights for those affected.