UK GDPR requires that the scope, nature and purpose of processing by the Processor, the duration of the processing and the types of Personal Data and categories of Data Subject are detailed before any processing can commence.
Unless agreed in writing elsewhere between the Processor and Controller, the below table sets out these details:
| Purpose / Activity | Lawful basis for processing including basis legitimate interest |
| Subject matter and nature of the Processing | The subject matter of the Processing is communications with the Controller’s customers, suppliers, staff, etc in the support of business operations. The nature of the Processing is sending letters, electronic communications or any other service described within the service agreement between the Parties to the Controller’s customers, suppliers, staff, etc as required by the Controller. |
| Purpose of Processing | The purpose of the Processing is to provide the agreed/contracted service to the Controller. |
| Duration of the Processing | For so long as is required to deliver the agreed/contracted service and a valid Data Processing Agreement remains in effect. |
| Categories of Data Subjects | The Personal Data to be processed concern the following data subjects: Employees of the Controller Customers of the Controller Parent, carer and advocates of customer of the Controller Suppliers of the Controller |
| Type of Personal Data | The Personal Data to be processed include some or all of the following types of data: Name Address Date of Birth Identification numbers Email Address Phone numbers (mobile or other) Bank Details Vehicle Registration Numbers Salary Taxation documents Financial status |
| Special categories of data | The personal data to be processed concern the following special categories of personal data: None |
Definitions
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing, all have the meanings given to them in the Data Protection Legislation.
Confidential Information any information or combination of information that contains details about an organisation or an individual person that was provided in an expectation of confidence. This includes for example, non-personal corporate or technical information that is commercially sensitive, drafts of documents that are not ready for publication, restricted information and documents, etc. as well as personal data.
Customer Data any Personal Data (including special category Personal Data) and Confidential Information processed by the Processor on behalf of the Controller or in connection with, the provision of the contracted service. This includes all information supplied to the Processor by the Controller and any additional information that the
Processor obtains during the term of the contract and shall apply equally to original Customer Data and all back-up and/or copies printed out but excludes any Personal Data to the extent that a specific contracted service requires the Processor to process such Personal Data as a controller.
Data Protection Legislation all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).
UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.