GDPR Letter to Processors
Implementation Guidance (this section must be removed from final version of the document)
Purpose of this document This letter is intended to be sent to organisations you use as processors to confirm their readiness for GDPR.
Areas of the GDPR addressed The following areas of the GDPR are addressed by this document: (All)
General Guidance As part of GDPR you should also have a contract in place with each of your processors that covers the required areas, so this letter should be supplemental to that. The contract is the controller’s protection in many ways, so that should be prioritised over responses to this letter, but this letter may help to highlight areas of risk, particularly if special categories of data are involved. Note that this letter is intended as a final confirmation, not as a data-gathering exercise; use the Processor GDPR Assessment as a tool for initial fact-finding.
Review Frequency We would recommend that this document is reviewed as preparations for GDPR continue.
Toolkit Version Number GDPR Toolkit Version 5
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exists in this document): 1. Update the custom document property “Organization Name” by clicking File
Page 1 of 5
GDPR Letter to Processors
> Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always�. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is Š copyright CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or
Page 2 of 5
GDPR Letter to Processors
guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Page 3 of 5
GDPR Letter to Processors
Subject: Your Readiness for the GDPR The General Data Protection Regulation (GDPR) is a Regulation of the European Union which applies to all organisations that collect and process the personal data of EU citizens. As a responsible, forward-looking business, [Organization Name] recognises at senior levels the need to comply with the GDPR and, as a controller, has taken steps to ensure that effective measures are in place to protect the personal data of our customers, employees and other stakeholders, and to ensure that it is processed lawfully, fairly and transparently. Your organisation acts as a processor on our behalf for some of the personal data for which we are a controller and, as part of meeting our mutual legal obligations, we are required to have in place a data processing agreement (or similar contractual arrangement) with you. With respect to the processing of personal data you perform on our behalf, this agreement is required to cover: • • • • •
The subject matter and duration of the processing The nature and purpose of the processing The type of personal data and categories of data subjects Assistance with meeting our obligations and rights as a controller Required contractual terms
If we are not already, we will be working with you to ensure that such an agreement is in place and that both parties’ legal responsibilities are fulfilled. Further to this agreement, we would like to confirm with you that: 1. A policy is in place for the protection of personal data within your organisation which has been approved by management and communicated to all employees and other relevant people 2. All of your employees have received awareness training regarding data protection and the GDPR 3. Everyone within your organisation understands their roles in the protection of personal data, and has received training where needed 4. Tested procedures and, if appropriate, online user facilities are in place to assist us in promptly processing and fulfilling data subject access requests, such as consent withdrawal, access and rectification 5. Procedures and facilities are in place to comply with our published timescales for the retention of personal data and for the deletion or return of data at the end of the contract 6. You are keeping records of processing as required by the GDPR 7. Where you are using agreed sub-processors, all of your contracts with these parties have been updated to comply with the requirements of the GDPR 8. All of your employees are subject to confidentiality obligations with respect to personal data
Page 4 of 5
GDPR Letter to Processors
9. Where you transfer our personal data internationally, you have ensured that the transfer is legal under the GDPR 10. Where appropriate, a data protection impact assessment approach which is line with the requirements and recommendations of the GDPR and relevant best practice, will be used 11. You have tested procedures in place to fulfil your obligations to us as a controller, in the event of a breach of personal data 12. You have policies and other controls in place to provide appropriate protection of our personal data, based on a careful assessment of risk 13. You have appointed a Data Protection Officer whose contact details have been provided to us Please respond to each of the above points, stating clearly whether they are in place, and describing your plans, including timescales, where they are not. We trust that you will continue to develop and improve your data protection policies and controls over time, guided both by legal requirements and the needs and preferences of ourselves as a customer. We appreciate your cooperation in this matter. Yours sincerely, [Top management signatories]
Page 5 of 5