Supplier Contract Addendum
Our Supplier Contract Addendum template:
- GDPR-compliant
- protect yourself with data warranties
- drafted by a GDPR-expert solicitor
- satisfaction guarantee
How Does It Work?
-
1. Download
-
2. Edit
-
3. Print
-
4. Sign
This is our Supplier Contract Addendum template for use when you are contracting with a supplier that does not have a GDPR-compliant data privacy notice in their terms and conditions or other contract with you. You can send them this notice and tell them that it acts as a supplement or addendum to that contract.
Having a Supplier Contract Addendum
You have a duty to ensure that, just as you must comply with the GDPR and the Data Protection Act 2018, your suppliers are all contractually bound to comply with GDPR in case you share any personal data with them. To avoid the risk of a 2% of global annual turnover/€10m fine (whichever is the greater), you need to put in place a binding agreement with your data processors (Art. 28 GDPR) that regulates, as a minimum:
- the subject-matter of the processing,
- duration of the processing,
- nature of the processing, and
- also the purpose of the processing.
So this supplier contract addendum template enables you to tackle that need quickly and easily.
Our Supplier Contract Addendum template provides warranties (i.e. promises) from the supplier to you that:
- the data they pass to you has been collected properly and processed in accordance with the law, and
- once passed to you, you will be able to process it lawfully.
If you have no written contract in place with a supplier (i.e. you only have a verbal contract), then, instead of this template, you should use our Data Processing Agreement template, as it takes the form of a short contract that focusses only on this issue (and deals with the same issues).
This is a key part of our GDPR compliance kit.
Below you will find a preview of the guide that comes with the template when you purchase it. So this gives you an idea of its contents.
Guide to Supplier Contract Addendum – Data Warranties
This template is designed to enable compliance with the requirements of Article 28 of GDPR. Article 28 requires that when your business engages a service provider that will receive and process any personal data from you that:
- you have a written contract in place with them, and
- also it must contain a set of warranties regarding how they will protect that data.
If you engage a supplier of services to your business and they either do not have a written contract for the services being supplier, and or the contract does not include the data processing warranties then you can put this document in place with the supplier.
The remainder of this guide will take you through editing and completing the template, clause-by-clause.
Clauses in this Supplier Contract Addendum – Numbered clauses
Purpose – This section explains the purpose of this document. You need to add a description of the services that the supplier is providing to you.
Definition of Data Protection Legislation
This section of the template confirms that references to ‘Data Protection Legislation’ covers the GDPR. It also covers any subsequent legislation that may replace GDPR in the future.
1. Protection of Data
1.1 This clause in the supplier contract addendum confirms that both parties will comply with all of the requirements of the Data Protection legislation.
1.2 This clause confirms that:
- as the customer in the relationship, your business will take the role of the Data Controller, and
- the supplier will take on the role of the Data Processor, for the purpose of GDPR.
1.3 This clause confirms that the scope and nature of the data processing that the supplier will undertake is to be set out in Schedule 1 to the document.
1.4 This clause covers off your business confirming to the supplier that you have the required legal basis for passing personal data to them.
1.5 This clause sets out a series of warranties (see clauses 1.5.1 to 1.5.4) that the supplier provides to you. The warranties state that the supplier will treat the data in a way that ensures compliance with GDPR.
Schedule 1 – Processing by the Supplier
1. Scope – In this section of the schedule, you should add a summary of what you are requesting the supplier to do with the personal data.
2. Nature – In this section of the supplier contract addendum, add a description of how you are expecting the supplier to use the personal data.
3. Purpose – In this section, add an explanation of what the purpose is of the processing that the supplier will undertake.
4. Duration – Finally, in this section, set out how long the processing of the personal data by the supplier is likely to take.