GDPR clause for your employment contracts

IN May 2018, significant changes were made to the data protection regulations in the form of the acronym which put the fear into us all - GDPR!

Most practices will have navigated through the changes safely with no major breaches. However, it would be prudent to ensure that your employment contracts contain a clause that employees sign so they are aware of what information are being held on them.

We suggest that you have this clause in your employment contracts going forward.


By signing this agreement, the employee confirms that they have read and understood the practice’s data protection policy, a copy of which is contained in the staff handbook. The practice may change its data protection policy at any time and will notify employees in writing of any changes.

The employee shall comply with the data protection policy when handling personal data in the course of employment including personal data relating to any employee, patient, supplier or agent of the practice.

The employee acknowledges that the practice will process data relating to the employee for a variety of purposes and that this may include sensitive personal data relating to the employee. The practice will only process this data where it has a lawful basis for doing so. Details about the type of data held by the practice, the purpose of data processing and the lawful basis on which the data is processed can be found in the practice’s Employee Data Policy OR Employee Data Privacy Notice.

MDDUS members can access our GDPR checklist here. The checklist helps practice managers understand their duties and responsibilities under GDPR. It contains links to practical guidance sheets on what to do in the event of a breach, lawful processing, subject access rights, privacy notices and privacy impact assessments.