SDL and Vendor

Data Processing Agreement

Frequently Asked Questions
Data protection law is one of the fastest developing areas of law in the world. It is also one of the most high profile. Hardly a week goes by without news of another data breach making the news. SDL is responding to the needs of our customers, employees and suppliers to ensure SDL’s operations are compliant with data protection law. The cybersecurity measures we deploy must be appropriate for current risks. Our Freelancers play a key role in ensuring SDL achieves our goals and delivers a compliant first rate service. We have produced these FAQ’s to help you understand why we are asking you to enter into the Vendor Agreement, the separate Exhibits and Data Processing Agreement.

Vendor Agreement

This document contains the information needed to create a business relationship between you and SDL. It creates the formal relationship explaining what you have to do and that SDL has to pay you for the work you do. As with any legal document it then covers the legal obligations and responsibilities of both you and SDL. This document is necessary so that both you and SDL have a formal record of our agreement. This document can be used by you and SDL to evidence our relationship to the authorities, perhaps for tax purposes or regulatory purposes, and for SDL to disclose to our customers.
SDL has been engaging with Freelancers for many years. Over those years the Vendor Agreements produced were fit for the purpose then but over time they have become insufficient. This current Vendor Agreement has been produced to deal with the issues agreements have to address today. This new agreement provides the clarity on what is required of the parties in today’s business environment.
This type of provision is commonly found in commercial agreements. SDL is usually required to indemnify our customers if SDL or our sub-contractors (i.e. you) are in breach of contract. We also require our Vendors to have adequate insurance which will provide you with protection in many circumstances.
Compliance is an increasing requirement in all areas of business. The localisation industry is becoming more compliance focussed. SDL and our customers put in place processes and requirements to be followed to complete tasks. In particular security standards to be followed are an aspect of compliance. It is then necessary to check that these standards are being followed by auditing the activity and practices. SDL therefore includes in our agreement with you the right to audit you, in some cases our customers insist they also have the right to audit our Vendors and we include this right in the agreement.

Exhibits

The Vendor Agreement contains the legal terms and conditions and the Exhibits contain more practical details and information. The Exhibits and their contents are still part of the contract agreed between SDL and you. We keep these separate because we may need to update these as operational and practical aspects develop. Updating one Exhibit is easier than updating the whole Agreement and will be easier for you to see the changes.
Yes you do as we need the agreement between you and SDL and the operational requirements and security obligations to be current.

Data Processing Agreement

Under Data Protection law such as the General Data Protection Regulation (GDPR) or UK Data Protection Act 2018, the processing of personal data shall be governed by a written contract. Such contract is called a DPA and this document sets out the obligations for processing personal data by one party on behalf of another party. We have also included in the DPA details about what SDL will do with your personal data and what you may be required to agree to if required to enable you to process personal data on behalf of SDL’s customers.
You may be required to process personal data when undertaking translation work. Data protection law considers any activity performed on personal data is processing. So if you undertake any translation work that will be processing.

These are terms which appear in data protection law to describe organisations that are undertaking data processing. We explain these in the context of your work with SDL: 

  • Data Controller: SDL’s customer who determines what happens to the personal data they control. 
  • Data Processor: SDL when acting for our customer, as we process personal data on their behalf. 
  • Sub-processor: Is a third party engaged by SDL to process Personal Data on behalf of SDL’s customer.
SDL shall use only sub-processors who provide sufficient guarantees and that meet the requirements of GDPR. By signing the DPA you are committing to comply with the requirements which control your processing of personal data on behalf of SDL and our customers.
As the DPA imposes obligations on you and SDL with regard to the processing of Personal Data you do have to comply with the obligations if you process personal data. We do not consider these obligations are unreasonable as they are ones commonly applicable.
You will not qualify as a Vendor that meets GDPR requirements and therefore you will not be able to provide services to SDL when the material to translate contains personal data.

Standard Contractual Clauses

These clauses will only have to be signed by some people resident outside of the European Union and European Economic Area countries, and once Brexit occurs by United Kingdom residents.
They are contractual clauses that have been reviewed and approved by the European Commission which provide a framework to allow organisations in the EEA to transfer personal data designated to a processor outside of the EEA.
The GDPR restricts the transfer of personal data to countries or territories outside of the EEA. It is permitted in certain circumstances. One of which is where the organisation in the EEA and the processor outside of the EEA have signed the SCC and the processor complies with the requirements of the SCC.
The European Commission has decided that some countries have data protection law which they consider provides suitable protection for processing of personal data. These countries are said to be “adequate” and their national law is relied upon rather than requiring SCC to be agreed. For a list of adequate countries see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
This is because as soon as the UK leaves the EU it is outside the EU. Currently, the UK is not considered an adequate country. Therefore it is necessary for organisations processing personal data from the EU to enter into the SCC to enable the data to be transferred from the EEA to the UK. While there may be a temporary arrangement if a transition period is agreed between the UK and EU there may still exist a need for SCC to be agreed.
According to GDPR SDL is allowed to transfer personal data outside of the EEA to a “non-adequate” country, provided SDL has in place appropriate safeguards to transfer such data. The SCC adopted by the European Commission are considered by the GDPR as an appropriate safeguard.

These are terms which appear in the SCC. 

  • Data Exporter: it is the organization established in the EU sending the personal data to a data importer located in a “non-adequate” country – SDL or our customer. 
  • Data Importer: it is the organization located in a “non-adequate” country receiving the personal data - You.
SDL shall only transfer personal data outside of the EU to sub-processors who meet the requirements of GDPR. By signing the SCC you and SDL are committing to comply with adequate safeguards with respect to the transfer of personal data outside of the EEA to a “non-adequate” country.
You will not qualify as a Vendor that meets GDPR requirements and therefore you will not be able to provide services to SDL when the material to translate contains personal data.