We've got a new look! Tenet Education Services and CPL Group have joined the CPC brand! Learn more 

CPC Swoosh

How to update your contracts to comply with GDPR

How to update your contracts to comply with GDPR

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 came into force on 25 May 2018.

All new CPC Framework's include new data protection clauses, so that our contracts comply with the GDPR and the new Data Protection Act.

What will happen with existing frameworks and contracts?

We have taken a risk based prioritisation approach to implementing GDPR into our frameworks and contracts:

  • Low risk -- where there is minimal or no personal data involved, no change will be made to include the new GDPR clauses. However, and regardless of risk, we will incorporate the changes to the T&Cs of all new frameworks.
  • Medium to High risk -- where suppliers' process personal data, a call-off deed of variation is made available for members to download from the bottom of this webpage. As Call-off contracts are between you and our Suppliers, we are not a party to this, so this will need to be done by yourselves and our suppliers. Our medium to high risk suppliers have also been provided with a copy of this deed of variation. We have worked with other consortia to ensure consistency of approach.

What about my existing contracts where I have used a CPC framework?

For existing CPC framework contracts you should follow the variations to Call-Off T&Cs and variation guidance documentation available to download.

As CPC is not a party to the contract between the Member and the Supplier, Members will be responsible for issuing the variation to make these changes into any of your call-off contracts involving the processing of personal data.

What about my existing contracts where I have not used a CPC framework?

Members will be able to use the GDPR clauses to update their own Terms and Conditions or update their own Call-Off Terms and Conditions as necessary.

The call-off Deed of Variation Guidance, the proposed Deed of variation and the GDPR clauses are for use within your own institutions Terms and Conditions, which you may want to start sending to your high-risk suppliers.

You should only send this Deed of variation if you initially contracted using the proposed call-off terms and conditions template supplied by the consortium.

You should also check that the Clause numbering in the variation matches your original contract, so that Clause 29 in the original contract is the section covering Data Protection. If not, you will need to amend accordingly.

We will soon advise the agreements and suppliers and confirm the revised Call-Off T&Cs and variation guidance and framework T&Cs are available.

Do suppliers have to accept the change?

Yes, they are under a duty to comply with law, and the GDPR requires them to insert these provisions.