GDPR-DOC-06-5 GDPR Letter to Processors

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This letter is intended to be sent to organisations you use as processors to confirm their compliance with the GDPR.

Areas of the GDPR addressed

The following areas of the GDPR are addressed by this document:

• Article 28: Processor

• Article 29: Processing under the authority of the controller or processor

• Article 32: Security of processing

General guidance

As part of GDPR you should also have a contract in place with each of your processors that covers the required areas, so this letter should be supplemental to that. The contract is the controller’s protection in many ways, so that should be prioritised over responses to this letter, but this letter may help to highlight areas of risk, particularly if special categories of data are involved.

Note that this letter is intended as a final confirmation, not as a data-gathering exercise; use the Processor GDPR Assessment as a tool for initial fact-finding.

Review frequency

We would recommend that this document is reviewed as preparations for GDPR continue.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions

This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Subject: Your compliance with the GDPR

The General Data Protection Regulation (GDPR) is a Regulation of the European Union which applies to all organisations that collect and process the personal data of EU citizens.

As a responsible, forward-looking business, [Organization Name] recognises at senior levels the need to comply with the GDPR and, as a controller, has taken steps to ensure that effective measures are in place to protect the personal data of our customers, employees and other stakeholders, and to ensure that it is processed lawfully, fairly and transparently.

Your organisation acts as a processor on our behalf for some of the personal data for which we are a controller and, as part of meeting our mutual legal obligations, we are required to have in place a data processing agreement (or similar contractual arrangement) with you.

With respect to the processing of personal data you perform on our behalf, this agreement is required to cover:

• The subject matter and duration of the processing

• The nature and purpose of the processing

• The type of personal data and categories of data subjects

• Assistance with meeting our obligations and rights as a controller

• Required contractual terms

If we are not already, we will be working with you to ensure that such an agreement is in place and that both parties’ legal responsibilities are fulfilled.

Further to this agreement, we would like to confirm with you that:

1. A policy is in place for the protection of personal data within your organisation which has been approved by management and communicated to all employees and other relevant people

2. All your employees have received awareness training regarding data protection and the GDPR

3. Everyone within your organisation understands their roles in the protection of personal data, and has received training where needed

4. Tested procedures and, if appropriate, online user facilities are in place to assist us in promptly processing and fulfilling data subject access requests, such as consent withdrawal, access and rectification

5. Procedures and facilities are in place to comply with our published timescales for the retention of personal data and for the deletion or return of data at the end of the contract

6. You are keeping records of processing as required by the GDPR

7. Where you are using agreed sub-processors, all your contracts with these parties have been updated to comply with the requirements of the GDPR

8. All your employees are subject to confidentiality obligations with respect to personal data

9. Where you transfer our personal data internationally, you have ensured that the transfer is legal under the GDPR

10. Where appropriate, a data protection impact assessment approach which is line with the requirements and recommendations of the GDPR and relevant best practice, will be used

11. You have tested procedures in place to fulfil your obligations to us as a controller, in the event of a breach of personal data

12. You have policies and other controls in place to provide appropriate protection of our personal data, based on a careful assessment of risk

13. You have appointed a Data Protection Officer whose contact details have been provided to us

Please respond to each of the above points, stating clearly whether they are in place, and describing your plans, including timescales, where they are not.

We trust that you will continue to develop and improve your data protection policies and controls over time, guided both by legal requirements and the needs and preferences of ourselves as a customer.

We appreciate your cooperation in this matter.

Yours sincerely, [Top management signatories]