[Enclose your customised processor agreement and any other document]
[Processor Name]
[Processor Address]
[Date]
Dear [Processor Point of Contact]
As one of our valued service providers, we are writing to you regarding the personal information that you process on our behalf in your capacity as a [insert service/business type].
You will be aware that as of the 25th May 2018, the General Data Protection Regulation (GDPR) and Data Protection Act 2018 came into force, superseding the existing data protection laws and introducing tighter controls and a more risk-based approach for processing personal information and protecting the rights and freedoms of individuals.
As a data controller, [Insert Company Name] has an obligation to ensure that any service provider (“processor”) processing personal data on our behalf, abides by the principles and requirements of the GDPR and UK data protection law. We expect all processors appointed by us to provide sufficient guarantees and evidence that the requirements of the GDPR will be met and the rights of data subjects protected.
The GDPR makes it a legal requirement to have a written contract in place whenever a controller uses a processor; the purpose of which is to define the business relationship and to ensure that both controller and processor understand their obligations, responsibilities and liabilities with regards to personal information and data protection.
[Insert Company Name] has therefore drafted the enclosed Processor Agreement which relates specifically to our business relationship and details the subject matter; duration; nature and purpose of the processing; the type of personal data and categories of data subject; the obligations and rights of [Insert Company Name] as the controller.
The agreement also outlines your responsibilities and obligations as a processor and provides the terms for processing any personal information disclosed by [Insert Company Name]; ensuring that we both meet our Article 28 obligations.
Please could you read, complete and sign the enclosed Processor Agreement and return it to us at your earliest convenience. Please ensure that you complete the schedules section, providing full details of the organisational and technical measures taken to ensure data security and protection, and where applicable, provide details of any sub-processor(s) used.
Completed agreements can be emailed to [insert email address] or can be returned by post to: –
[Insert Company Name]
[Insert Point of Contact]
[Address Line 1]
[Address Line 2]
[Address Line 3]
[Postcode]
[Telephone Number]
[If you have any specific requirements or evidence requests, detail them here (i.e. enclose a due diligence form or processor checklist to complete or evidence of breach and SAR procedures etc)]
If you have any further questions, please do not hesitate to contact us.
Yours sincerely,
(enclosed Processor Agreement)
[Enter Name Data Protection Officer/Appointed Person]
[Enter Job title of person handling the request]
[Enter direct dial, email, extension]