‹ Back to policies

RS-202

Data Processing Agreement

Standard UK GDPR processor terms for client engagements

RECREO CONSILIUM

RS-202

Data Processing Agreement

Standard UK GDPR processor terms for client engagements

For use only where Recreo Consilium processes personal data on behalf of a client.

Version 1.0
Classification Client / External
Website www.recreo.co.uk
Positioning Independent Advisory Practice

Document Control

Field Detail
Document reference RS-202
Title Data Processing Agreement
Version 1.0
Status Controlled client issue
Owner Director, Recreo Consilium
Classification Client / External
Company Recreo Consilium (17315664)
Registered office 223 Avonmouth Road, Bristol, BS11 9EJ
Contact email hello@recreo.co.uk
Jurisdiction United Kingdom
Related documents RS-101 Privacy Policy; RS-201 Consultancy Engagement Terms

Revision History

Version Date Status Summary
1.0 3 July 2026 Controlled client issue Clean version 1.0 issue for use with client engagements, subject to engagement-specific review.

Contents

1. Purpose

2. When this agreement applies

3. Definitions

4. Roles of the parties

5. Processing instructions

6. Details of processing

7. Confidentiality

8. Security measures

9. Sub-processors

10. Data subject rights

11. Personal data breaches

12. International transfers

13. Records and audit

14. Deletion or return of data

15. Liability and order of precedence

16. Contact details

Schedule 1 - Processing details

Schedule 2 - Security measures

1. Purpose

This Data Processing Agreement sets out the terms that apply where Recreo Consilium processes personal data on behalf of a client as a processor under UK data protection law.

It is intended to be used with RS-201 Consultancy Engagement Terms and the relevant engagement document. It should be completed and reviewed before use on any engagement involving material processing of personal data on behalf of a client.

2. When this agreement applies

This agreement applies only where Recreo Consilium acts as processor for a Client that is controller. In many advisory engagements, Recreo Consilium may act as an independent controller for limited business contact information and client correspondence. In those cases, RS-101 Privacy Policy will usually apply instead.

The parties should confirm the correct data protection roles at the start of each engagement.

3. Definitions

In this agreement, controller, processor, personal data, processing, data subject, personal data breach and supervisory authority have the meanings given to them under UK data protection law.

4. Roles of the parties

Where this agreement applies, the Client is the controller and Recreo Consilium is the processor. The Client is responsible for ensuring that it has a lawful basis for the processing and for providing any privacy information required to data subjects.

Recreo Consilium will process personal data only in accordance with the Client's documented instructions, unless required to do otherwise by law.

5. Processing instructions

The Client's documented instructions are set out in the engagement document, this agreement and any written instructions provided by authorised Client representatives. Recreo Consilium will notify the Client if, in its opinion, an instruction infringes UK data protection law.

6. Details of processing

The subject matter, duration, nature, purpose, categories of personal data and categories of data subjects should be recorded in Schedule 1. If Schedule 1 is not completed, the parties should not treat this agreement as fully operational until the missing information has been agreed.

7. Confidentiality

Recreo Consilium will ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations and process personal data only as necessary for the engagement.

8. Security measures

Recreo Consilium will implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Indicative measures are set out in Schedule 2 and should be adapted to the nature and risk of the specific engagement.

9. Sub-processors

The Client gives general authorisation for Recreo Consilium to use sub-processors where reasonably required to provide the services, including secure IT, hosting, email, document storage and professional support providers. Recreo Consilium will ensure that sub-processors are subject to appropriate written obligations.

Where a Client requires prior specific approval of sub-processors, this must be stated in the engagement document.

10. Data subject rights

Taking into account the nature of the processing, Recreo Consilium will provide reasonable assistance to the Client in responding to data subject rights requests where such requests relate to personal data processed by Recreo Consilium on the Client's behalf.

11. Personal data breaches

Recreo Consilium will notify the Client without undue delay after becoming aware of a personal data breach affecting personal data processed on the Client's behalf. The notification will include information reasonably available to Recreo Consilium at the time.

12. International transfers

Recreo Consilium will not intentionally transfer personal data outside the United Kingdom unless appropriate safeguards are in place or the Client has provided documented instructions permitting the transfer.

13. Records and audit

Recreo Consilium will maintain records appropriate to the nature of the processing. The Client may request reasonable information to demonstrate compliance with this agreement. Any audit rights must be exercised on reasonable notice and in a manner that does not compromise confidentiality, security or other client obligations.

14. Deletion or return of data

At the end of the engagement, Recreo Consilium will delete or return personal data processed on behalf of the Client, unless retention is required by law, professional obligations, insurance, dispute management or legitimate business record purposes.

15. Liability and order of precedence

This agreement forms part of the wider contractual arrangements between the parties. Liability under this agreement is subject to the liability provisions in RS-201 Consultancy Engagement Terms or any agreed engagement contract, unless otherwise required by law.

If there is a conflict between this agreement and a signed client-specific data processing agreement, the signed client-specific agreement will take precedence.

16. Contact details

Recreo Consilium
Company number: 17315664
223 Avonmouth Road, Bristol, BS11 9EJ
Email: hello@recreo.co.uk
Website: www.recreo.co.uk