FAQs

Sharing confidential information can be a complex and sensitive matter, and it is important to take steps to protect the information from unauthorised access, use, or disclosure. Some methods to ensure the confidentiality of information include:

Non-Disclosure Agreements (NDAs): Have the recipient sign a legally binding NDA that prohibits them from sharing the information with anyone else. These can be mutual (protecting confidential information exchanged between the parties) or one-way (protecting confidential information provide by one party to another) depending on the commercial reality of the situation.

Practical steps such as: Encryption: Encrypt the information before sharing it, using a secure encryption method such as AES or RSA.

Controlled access: Limit access to the information to only those who need it, and use strong passwords and two-factor authentication to secure the information.

Physical security measures: Store physical copies of the information in a secure location, such as a locked cabinet or safe.

Monitoring: Monitor access to the information and track any changes or disclosures. Where data is shared on a virtual platform, it is possible to be notified of changes made to documents and to recieve a report of any access made or changes to the documents over a defined period of time.

Data minimisation: Only share the minimum amount of information necessary, and keep the rest confidential.

Regular security assessments: Regularly assess the security measures in place to ensure they remain effective and address any vulnerabilities.

Limiting what is shared: as a common sense point, the best and most practical way to ensure that confidential information remains secret is to only tell such information to those people who need to know it and in accordance with data minimisation mentioned above, to only give away what is absolutely necessary for the performance of any obligation.

It is also important to train employees and contractors on the importance of confidentiality and the steps they need to take to protect sensitive information. Additionally, organisations should have a plan in place for responding to potential breaches of confidentiality, such as identifying the source of the breach, assessing the impact, and taking appropriate remedial action.

Containing a confidentiality clause in any contract between the parties is a good way of ensuring that parties are aware of their obligations in relation to confidential information and enables additional obligations to be included as warranties within the contract, such as ensuring that employees and contractors are aware of the obligations and that these apply equally to them.

To ensure that you can be released from a contract if the relationship sours, you should include a termination clause in the contract that outlines the conditions under which either party can terminate the agreement. This clause should specify the notice period required for termination, any penalties for early termination, and any procedures that must be followed.

It is also worth bearing in mind the parties common law right to accept a repudiation of the contract, granting the aggrieved party the choice of whether to end the contract or to affirm it and carry on as is (with both options enabling damages to be claimed by the aggrieved) where a substantial breach has occured. As a practical step, parties to a contract may wish to ensure that such right has not been expressly excluded from the contract.

Additionally, you may want to consider including a mediation or arbitration clause that provides for a resolution process in the event of a dispute. It’s important to have a clear understanding of the terms and conditions of the contract before signing it. If your contract is silent on this point or is not clear then we can still help with our expert legal advice and years of commercial experience.

A material breach of contract occurs when a party fails to perform a substantial obligation under the agreement, which would result in a failure of the purpose of the contract. For example, failing to deliver goods or services as agreed, or not meeting quality standards as outlined in the contract.

To protect yourself against material breaches, you can:

– Clearly define the terms and obligations of the contract in writing
– Include provisions for how breaches will be addressed and the remedies available; these remedies being of adequate significance to deter the parties from committing breaches of the contract
– Conduct proper due diligence before entering into a contract
– Consider using an arbitration clause to resolve disputes, which could enable the commercial relationship between the parties to remain, to both parties benefit
– Keep detailed records of all performance under the contract

If you believe a material breach has occurred, it is advisable to seek legal counsel to understand your rights and options under the contract and applicable laws.

Intellectual Property Rights (IPRs) can be transferred to another person or company either by way of an assignment or by licensing the IPR to the other party. The method chosen will depend on whether the transferor wishes to retain ownership over the IPR being transferred.

Assignment

Where a person or company wishes to sell their IP rights in the protected property to another, they will need to ensure that these rights are assigned to the buyer to allow them to benefit from and be able to exploit the IPR in the protected property.

An assignment of intellectual property agreement will need to be drafted, which will contain the price which the buyer will be paying for the IPRs, warranties (factual statements) and indemnities (promises to reimburse to cover claims following assignment).

Warranties may include that the seller is the rightful owner of the IPRs, that the IPRs have not been licensed to a third party and the seller is not aware of any infringement of the IPRs.In relation to indemnities, the buyer will likely seek an indemnity that if, following the sale, they face a claim by a third-party for IP infringement, the seller will cover all costs and expenses in defending the claim.

Licensing

Where a person or company wishes to retain ownership over the IPRs but enable another person or company to use the IPR, then a licence could be granted and the licensor (the one granting the licence) could charge either a one-off lump sum or a periodic fee for the buyers use of the IPRs.

The Licensor will also need to decide whether an exclusive or non-exclusive licence will be granted to the buyer, the latter enabling multiple licensees to exploit the IPR.

The decision is likely to be centred around ownership and whether the owner of the IPRs wishes to retain it.

The terms and conditions (T&Cs) which apply to a contractual agreement between the parties will depend on which party’s T&Cs are deemed to be incorporated into the contract.

The law in England and Wales has traditionally held that where there is conflict between the T&Cs of each party, the ‘battle of the forms’ will be won by the party who put forward their T&Cs last which were not explicitly rejected by the other party. However this has been questioned in recent case law, so it is important for companies to take practical steps to ensure their T&Cs are incorporated.

Some of these practical steps are as follows:

Draw the other party’s attention to the T&Cs during the pre-contract stage of the relationship;

Where you are providing/supplying the goods/services, sending an acknowledgement following reciept of individual orders asserting that your T&Cs govern the contract;

Sending a copy of your T&Cs to existing contractually engaged parties and requesting that they sign and return these as acknowledgement that they will govern future orders;

Links in emails to the T&Cs; a copy of the T&Cs affixed to letters sent to the other party.

It is important to note that silence does not amount to acceptance and that in some situtations, it may instead be worth directly discussing T&Cs with the other party and reaching a mutual position on any sticking points.

Yes, Brexit can affect data privacy compliance requirements for organisations operating in the European Union (EU) and the United Kingdom (UK). Prior to Brexit, the EU and UK were part of the same data protection framework under the General Data Protection Regulation (GDPR). However, after Brexit, the UK became a third country from the perspective of the EU, meaning that data transfers between the EU and UK are subject to additional restrictions.

Whilst the UK Data Protection Act 2018 (DPA) does allow data transfers to continue between the UK and European Economic Area (EEA) countries, where the EEA country is deemed ‘adequate’ in accordance with the DPA, organisations operating in the EU and UK need to undertake enhanced due diligence to ensure they and any data processors with whom they engage have appropriate mechanisms in place to comply with the data protection laws of both territories, such as Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTA)) or Binding Corporate Rules (BCRs). They also need to be mindful of local laws and regulations, such as the UK’s Data Protection Act 2018, UK GDPR and the EU’s GDPR, and ensure they are taking the necessary steps to protect personal data in accordance with these laws.

In summary, Brexit has made data privacy compliance more onerous and complex for organisations operating in both the EU and UK, and it is important for such organisations to stay informed and up-to-date on the latest data protection requirements and ensure that thorough checks and processes are in place and followed to ensure compliance with heavier regulation.

Where endeavours are used within a contract, this will typically obligate a party to ‘try’ to satisfy an obligation rather than absolutely commit to it.

Best endeavours

Through case law, the term has been refined to mean to take all those steps in their power which are capable of producing the desired results … being steps which a prudent, determined and reasonable [obligee], acting in his own interests and desiring to achieve that result, would take.

This therefore requires a party to use their best efforts as if they were acting in their own interest and may even require expenditure on the part of the obligee.

Reasonable endeavours

This is interpreted as being less burdensome than best endeavours and the courts interpretation has been that the obligor (being the party obligated to undertake the action under contract) must balance the weight of their obligation against any relevant commercial considerations.

Once the obligor has taken reasonable steps in relation to the contractual obligation and no further reasonable steps can be taken to achieve the objective, then the obligor is no longer required to try.

Other commonly used endeavours

Due to their slightly ambiguous nature, endeavours clauses are intepreted by the courts on a case-by-case basis and dependent on what the obligation is and what a reasonable person can do. As such, there are a number of other commonly used endeavours terms which parties may use:

– commercial endeavours;
– utmost endeavours;
– commercially reasonable endeavours.

The strength of the burden under these will be for the courts to decide in relation to the case in which they are used.

A limitation of liability is a provision in a contract that restricts the maximum amount of damages that a party can recover in the event of a breach of contract or other legal claim. When determining the amount of the liability cap, there are several factors to consider:

Nature of the business and risks involved: The liability cap should reflect the nature of the business and the potential risks involved, taking into account the potential harm that could result from a breach or failure.

Contractual obligations: The liability cap should be consistent with the parties’ obligations under the contract and the level of protection each party is entitled to receive.

Industry standards: Consider industry standards for similar contracts and determine if the proposed liability cap is in line with these standards.

Legal and regulatory requirements: Check for any legal or regulatory requirements that may affect the liability cap, such as consumer protection laws or regulations that set minimum standards for liability.

Insurance coverage: Consider the parties’ insurance coverage and the extent to which insurance can be relied upon to cover losses.
Bargaining power: Consider the relative bargaining power of the parties, and aim to negotiate a fair and reasonable liability cap that is acceptable to both parties.

In general, a sufficient liability cap should be high enough to provide meaningful protection to both parties, but not so high that it discourages parties from performing their obligations under the contract. The precise amount of the liability cap will depend on the specific circumstances of each case and the needs of the parties. It is important to consult with legal counsel to determine a liability cap that is appropriate for your particular situation.

Where data and the processing of such data is to be undertaken by a businesses as part of its business activities, the relevant business will need to be aware of its obligations under the UK GDPR and the Data Protection Act 2018 (being its implementing statute).

Processing data includes, but is not limited to, the use, storage, alteration or destruction of personal data by an entity. This also includes both wholly or partially automated methods of data processing as well as manual processing.

Some examples of processing include the storage of IP addresses, databases with client details (such as email addresses, telephone numbers, physical addresses etc.) and adminsitration of staff/payroll processes.

Personal data under UK GDPR includes any data which relates to an identiifed or identifiable person; namely data which could be used to identify a person.

Due to the broad definition of processing, it is likely that most businesses will need to be aware of their data processing obligations and its requirements thereunder.

A data processor should also be aware of its obligations to have adequate systems in place for the processing of personal data and that the staff involved in data processing are adequately trained and aware of their responsibilities in relation to the safeguarding of data subjects personal data.

A data controller on the otherhand is an entity which determines the purposes for which and the manner in which personal data is to be processed. This means that a party which is a data controller will determine ‘why’ and ‘how’ data is to be processed.

Where a data controller is to outsource its processing (or a processor outsources to a sub-processor) then they should conduct thorough due diligence on the external processor/sub-processor particularly in relation to their security framework and procedures in place in case of a data breach, as typically overall responsibility rests with the data controller.

An underlying set of terms and conditions will typically govern the relationship between contractual parties, often in relation to the provision of goods or services by one party to another. Which parties terms and conditions will govern the engagement will depend on whose terms and conditions are incorporated into the agreement (see our FAQ below for details).

A set of terms and conditions will typically be drafted fairly broadly to cover the specific terms relating to the goods or services being provided alongside the following:

Obligations of the seller and the buyer – these will outline the duties each party shall be obligated to take in relation to the goods/services, this will typically centre around payment by the buyer for the goods/services and delivery or performance in relation to the seller.

Liability is also commonly included in relation to the parties – whereby the responsibilities for any liability arising in connection with the terms and conditions will be apportioned between the parties in reference to their obligations and breaches thereof.

Termination provisions and the resulting consequences of termination should also be outlined, including the termination process and the requirements which need to be met in order to terminate the provision of goods/services. This may include grounds for termination such as material breaches, the occurence of an insolvency event or termination by convenience on a specified amount of notice. The consequences of termination will likely include when the provision of goods/services cuts off, when the remaining sums will be payable by the buyer and the return/destruction of any goods or intangible property of the seller.

Personal data may also be featured in a set of terms and conditions, with both parties roles (whether this be controller – processor or controller – controller) being outlined and that the parties will adhere to the relevant data-related legislation when processing personal data of the other alongside warranties relating to the parties maintaining adequate framework for data to be transferred.

Typically general obligations will be featured at the end of the terms and conditions, rounding up and ticking off what has not been expressly covered previously. These will include entire agreement provisions, severance, waiver of rights, notice periods and dispute resolution processes.

It is important to remember that often, an individual order for goods/services and the terms therein may override the terms within the terms and conditions. As such, careful consideration should be made regarding the superiority of the different contractual documents used within a transaction.

A data controller will determine the personal data which is to be collected from data subjects (those natural persons who the data belongs to) and why such personal data is to be collected. The data controller will therefore have overall control and responsibility over the data in question.

The data controller will also be responsible for determining the lawful basis on which data is collected, who data can be disclosed to, responses to requests by data subjects and the length of time data is to be retained/when the data is to be destroyed.

A data processor will need to ensure that data is processed (which includes data storage, forming databases using client personal data (such as email addresses, telephone numbers, physical addresses as so forth) in accordance with the data controller instructions.

The data processor will be responsible for the security measures in place to protect personal data, how data will be stored (and the IT systems used), transfers of personal data from one entity to another and the practicalities of the deletion or disposal of data.

Whilst typically an entity will be either a controller or a processor, there may be times when they act as both. For example if an entity is a processor which provides services to data controllers, the entity will likely be a controller os some personal data and a processor of other data. In some circumstanes, an entity may be a controller and processor of the same data set, where the entity is processing such data for different purposes.

However, where an entity is acting as both a processor and controller, it will need to be able to distinguish between the personal data it is processing as a controller and that which it is processing as a processor.