General Data Protection Regulation Template Directions to consider for Contracting Authorities who have used OGP Framework Agreements

It is important that any contracting authority considering GDPR and its implications familiarises themselves with the OGP GDPR Information Note which is available by following this link GDPR Information Note.

The data protection provisions that were in OGP Framework Agreements had been suitable for use under the pre-GDPR data protection regime.  The changes brought about by the GDPR, particularly with regard to the specific contractual obligations which must be imposed on data processors, mean that the provisions in those contracts are no longer adequate.  This means that any existing ongoing contracts which are based on those template goods and services contracts and which involve the processing of personal data by the contractor as part of the contract will need to be updated to ensure their compliance with the GDPR.

The OGP has drafted template directions which may be issued by contracting authorities to their contractors where the contract involves the processing of personal data and the contractor is acting as a “Data Processor” on behalf of the contracting authority. It should be noted that the template directions are not a passive document and will require both the contracting authority and contractor to take some form of action in order to comply with and implement their contract provisions. Public bodies will need confirmation that the contractor/supplier can implement the appropriate technical and organisational measures to comply with GDPR. For example, the directions require the data processor to process personal data only on the “written instructions” of the contracting authority.  In practice, this means that the contracting authority must provide instructions in writing to the contractor on what it wants the contractor to do.  The directions also require the contracting authority to provide written instructions to the contractor on whether to amend, delete or return personal data to it on termination of the contract.  This creates a positive obligation on the contracting authority to give such instructions prior to the expiry or termination of the contract.

Where a contracting authority considers that the contractor is or might be a data controller in its own right or a joint data controller with the contracting authority, the template directions either will not be suitable or may need to be adapted, the contracting authority should seek legal advice.

These directions do not apply to contracts entered into on a contractor’s own terms and conditions or which do not incorporate the standard OGP template terms. A different approach will be required for these contracts and the contracting authority should contact its legal advisor or data protection officer.

GDPR Directions for existing Contracts under OGP Frameworks