RS-202
Data Processing Agreement
Standard UK GDPR processor terms for client engagements
RECREO CONSILIUM
RS-202
Data Processing Agreement
Standard UK GDPR processor terms for client engagements
For use only where Recreo Consilium processes personal data on behalf of a client.
| Version | 1.0 |
|---|---|
| Classification | Client / External |
| Website | www.recreo.co.uk |
| Positioning | Independent Advisory Practice |
Document Control
| Field | Detail |
|---|---|
| Document reference | RS-202 |
| Title | Data Processing Agreement |
| Version | 1.0 |
| Status | Controlled client issue |
| Owner | Director, Recreo Consilium |
| Classification | Client / External |
| Company | Recreo Consilium (17315664) |
| Registered office | 223 Avonmouth Road, Bristol, BS11 9EJ |
| Contact email | hello@recreo.co.uk |
| Jurisdiction | United Kingdom |
| Related documents | RS-101 Privacy Policy; RS-201 Consultancy Engagement Terms |
Revision History
| Version | Date | Status | Summary |
|---|---|---|---|
| 1.0 | 3 July 2026 | Controlled client issue | Clean version 1.0 issue for use with client engagements, subject to engagement-specific review. |
Contents
1. Purpose
2. When this agreement applies
3. Definitions
4. Roles of the parties
5. Processing instructions
6. Details of processing
7. Confidentiality
8. Security measures
9. Sub-processors
10. Data subject rights
11. Personal data breaches
12. International transfers
13. Records and audit
14. Deletion or return of data
15. Liability and order of precedence
16. Contact details
Schedule 1 - Processing details
Schedule 2 - Security measures
1. Purpose
This Data Processing Agreement sets out the terms that apply where Recreo Consilium processes personal data on behalf of a client as a processor under UK data protection law.
It is intended to be used with RS-201 Consultancy Engagement Terms and the relevant engagement document. It should be completed and reviewed before use on any engagement involving material processing of personal data on behalf of a client.
2. When this agreement applies
This agreement applies only where Recreo Consilium acts as processor for a Client that is controller. In many advisory engagements, Recreo Consilium may act as an independent controller for limited business contact information and client correspondence. In those cases, RS-101 Privacy Policy will usually apply instead.
The parties should confirm the correct data protection roles at the start of each engagement.
3. Definitions
In this agreement, controller, processor, personal data, processing, data subject, personal data breach and supervisory authority have the meanings given to them under UK data protection law.
4. Roles of the parties
Where this agreement applies, the Client is the controller and Recreo Consilium is the processor. The Client is responsible for ensuring that it has a lawful basis for the processing and for providing any privacy information required to data subjects.
Recreo Consilium will process personal data only in accordance with the Client's documented instructions, unless required to do otherwise by law.
5. Processing instructions
The Client's documented instructions are set out in the engagement document, this agreement and any written instructions provided by authorised Client representatives. Recreo Consilium will notify the Client if, in its opinion, an instruction infringes UK data protection law.
6. Details of processing
The subject matter, duration, nature, purpose, categories of personal data and categories of data subjects should be recorded in Schedule 1. If Schedule 1 is not completed, the parties should not treat this agreement as fully operational until the missing information has been agreed.
7. Confidentiality
Recreo Consilium will ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations and process personal data only as necessary for the engagement.
8. Security measures
Recreo Consilium will implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Indicative measures are set out in Schedule 2 and should be adapted to the nature and risk of the specific engagement.
9. Sub-processors
The Client gives general authorisation for Recreo Consilium to use sub-processors where reasonably required to provide the services, including secure IT, hosting, email, document storage and professional support providers. Recreo Consilium will ensure that sub-processors are subject to appropriate written obligations.
Where a Client requires prior specific approval of sub-processors, this must be stated in the engagement document.
10. Data subject rights
Taking into account the nature of the processing, Recreo Consilium will provide reasonable assistance to the Client in responding to data subject rights requests where such requests relate to personal data processed by Recreo Consilium on the Client's behalf.
11. Personal data breaches
Recreo Consilium will notify the Client without undue delay after becoming aware of a personal data breach affecting personal data processed on the Client's behalf. The notification will include information reasonably available to Recreo Consilium at the time.
12. International transfers
Recreo Consilium will not intentionally transfer personal data outside the United Kingdom unless appropriate safeguards are in place or the Client has provided documented instructions permitting the transfer.
13. Records and audit
Recreo Consilium will maintain records appropriate to the nature of the processing. The Client may request reasonable information to demonstrate compliance with this agreement. Any audit rights must be exercised on reasonable notice and in a manner that does not compromise confidentiality, security or other client obligations.
14. Deletion or return of data
At the end of the engagement, Recreo Consilium will delete or return personal data processed on behalf of the Client, unless retention is required by law, professional obligations, insurance, dispute management or legitimate business record purposes.
15. Liability and order of precedence
This agreement forms part of the wider contractual arrangements between the parties. Liability under this agreement is subject to the liability provisions in RS-201 Consultancy Engagement Terms or any agreed engagement contract, unless otherwise required by law.
If there is a conflict between this agreement and a signed client-specific data processing agreement, the signed client-specific agreement will take precedence.
16. Contact details
Recreo Consilium
Company number: 17315664
223 Avonmouth Road, Bristol, BS11 9EJ
Email: hello@recreo.co.uk
Website: www.recreo.co.uk