Supplier Contract Addendum

Our Supplier Contract Addendum template:

  • GDPR-compliant
  • protect yourself with data warranties
  • drafted by a GDPR-expert solicitor
  • satisfaction guarantee
Money Back Guarantee

How Does It Work?

  • 1. Download
  • 2. Edit
  • 3. Print
  • 4. Sign

This is  our Supplier Contract Addendum template for use when you are contracting with a supplier that does not have a GDPR-compliant data privacy notice in their terms and conditions or other contract with you. You can send them this notice and tell them that it acts as a supplement or addendum to that contract.

You have a duty to ensure that, just as you must comply with the GDPR, your suppliers are all contractually bound to comply with GDPR in case you share any personal data with them. To avoid the risk of a 2% of global annual turnover/€10m fine (whichever is the greater), you need to put in place a binding agreement with your data processors (Art. 28 GDPR) that regulates, as a minimum, the subject-matter, duration, nature and purpose of the processing. This supplier contract addendum template enables you to tackle that need quickly and easily.

Our Supplier Contract Addendum template provides warranties (i.e. promises) from the supplier to you that the data they pass to you has been collected properly and processed in accordance with the law, and that, once passed to you, you will be able to process it lawfully.

If you have no written contract in place with a supplier (i.e. you only have a verbal contract), then, instead of this template, you should use our Data Processing Agreement template, as it takes the form of a short contract that focusses only on this issue (and deals with the same issues).

This is a key part of our GDPR compliance kit.

Below you will find a preview of the guide that comes with the template when you purchase it. This gives you an idea of its contents.

Guide to Supplier Contract Addendum – Data Warranties

This template is designed to enable compliance with the requirements of Article 28 of GDPR. Article 28 requires that when your business engages a service provider that will receive and process any personal data from you that you have a written contract in place with them which contains a set of warranties regarding how they will protect that data.

If you engage a supplier of services to your business and they either do not have a written contract for the services being supplier, and or the contract does not include the data processing warranties then you can put this document in place with the supplier.

The remainder of this guide will take you through editing and completing the template, clause-by-clause.

Clauses in this Supplier Contract Addendum – Numbered clauses

Purpose – This section explains the purpose of this document. You need to add a description of the services that the supplier is providing to you.

Definition of Data Protection Legislation – This section of the template confirms that references to ‘Data Protection Legislation’ covers the GDPR as well as any subsequent legislation that may be brought in to replace GDPR in the future.

1. Protection of Data

1.1 This clause confirms that both parties will comply with all of the requirements of the Data Protection legislation.

1.2 This clause confirms that as the customer in the relationship your business will take the role of the Data Controller and that the supplier will take on the role of the Data processor for the purpose of GDPR.

1.3 This clause confirms that the scope and nature of the data processing that the supplier will undertake is to be set out in Schedule 1 to the document.

1.4 This clause covers off your business confirming to the supplier that you have the required legal basis for passing personal data to them.

1.5 This clause sets out a series of warranties (see clauses 1.5.1 to 1.5.4) that the supplier provides to you which state that the supplier will treat the data that is passed to them in a way that ensures compliance with GDPR.

Schedule 1 – Processing by the Supplier

1. Scope – In this section of the schedule you should add a summary of what the supplier is being requested to do with the personal data.

2. Nature – In this section add a description of how the supplier is expected to use the personal data.

3. Purpose – In this section add an explanation of what the purpose is of the processing that the supplier will undertake.

4. Duration – In this section set out how long the processing of the personal data by the supplier is expected to take.