This checklist provides step-by-step due diligence guidance for in-house counsel and private practitioners when engaging service providers or suppliers who will also act as processors of personal data (processor), or to assist them when advising internal and external clients on these issues. The straightforward question-based format of the checklist can also be used by any other stakeholders (eg, members of the procurement team) when performing an initial high-level assessment of the data protection and cybersecurity compliance of a potential supplier.
The checklist is UK-focused but also covers:
- general requirements under the EU General Data Protection Regulation (EU GDPR) as these may still be relevant to some UK organisations due to the application of the extra-territorial scope provisions in article 3(2) EU GDPR; and
- the interpretation of such EU GDPR requirements by the Information Commissioner’s Office (ICO).
It does not cover any local European Economic Area (EEA) data protection law requirements or interpretation of the EU GDPR by EEA data protection regulators.
The checklist addresses the following steps:
- Assess the details of the services and data processing
- Assess the supplier’s compliance with data protection and privacy requirements
- Assess the supplier’s cybersecurity compliance
- Assess whether any additional queries are necessary
The checklist is presented as a list of requirements that you can tick off as they are addressed. It is divided into the key areas to focus on when performing due diligence on potential processors. At the end of the document there are specific notes corresponding with each step in the checklist. Use the ‘Supplier response’ column to document any information received from the service provider or supplier.
For the purposes of this checklist, the controller is usually a customer looking to contract various services from a supplier who will also act as a processor of personal data. In this checklist the respective parties are generally referred to throughout as ‘customer’ and ‘supplier’.
Key definitions such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’, 'personal data breach' and ‘processing’ are further explained in How-to guide: Understanding key data protection definitions.
This checklist can be used in conjunction with section 3 of the following How-to guide: How to ensure compliance with the GDPR and Checklist: GDPR compliance self-assessment audit.
Step 1 – Assess the details of the services and data processing
| No. | Customer action |
|---|---|
| 1.1 | Obtain a description of the products, services or solutions and the data that is being processed |
| 1.2 | Check what the main data processing activities are that the supplier is undertaking |
| 1.3 | Check whether the supplier is a processor or a controller of this data |
| 1.4 | Check where the data is stored or recorded |
| 1.5 | Ensure you understand the terms of the contract with the supplier |
| 1.6 | Check who has access to the data and with whom the data is shared |
| 1.7 | Ensure you understand how the supplier intends to use personal data |
Step 2 – Assess the supplier’s compliance with data protection and privacy requirements
| No. | Customer action |
|---|---|
| General compliance with data protection laws | |
| 2.1 | Check how the supplier ensures compliance with applicable legislation and/or instructions (if supplier is a processor) with respect to the protection and processing of personal privacy data which may include, electronic communications, marketing etc |
| 2.2 | Check whether the supplier is registered with the UK Information Commissioner’s Office (ICO) or other data protection regulator |
| Governance framework | |
| 2.3 | Check whether the supplier has a data protection officer (DPO) or someone else who has been designated to take responsibility for data protection |
| 2.4 | Check the terms of the supplier’s data protection and related policies and procedures that are in place in their organisation |
| Data protection training | |
| 2.5 | Check whether data protection training (including on the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) or any other applicable ePrivacy laws for any marketing services) is provided to relevant supplier staff |
| Investigations, complaints and requests | |
| 2.6 | Check whether the supplier has been the subject of any complaints or enforcement action regarding their data protection, ePrivacy or PECR compliance |
| 2.7 | Check whether there have been any material breaches of contractual obligations relating to data protection or data security |
| 2.8 | Check whether the supplier has received any complaints from data subjects in respect of the handling of their personal data |
| 2.9 | Ask for details regarding the process for assisting or dealing with data subject requests |
| 2.10 | Ask the supplier for details on responding to requests for access to data |
| Data breaches | |
| 2.11 | Check what processes, procedures and plans are in place to deal with a data breach |
| 2.12 | Check whether the supplier has experienced a security incident or data breach relating to personal data within their systems or control |
| 2.13 | Check whether supplier's staff and subcontractors handling personal data are subject to confidentiality obligations and confirm that they are made aware of the contractual obligations to the customer |
| Processors’ obligations | |
| 2.14 | Check what controls the supplier has in place to ensure that the data is only processed on the customer’s (as the controller of the data) instructions |
| 2.15 | Check whether the supplier is proposing to subcontract any part of the work which involves the processing of personal data |
| 2.16 | Check whether any of the customer’s personal data will be processed outside of the UK or EEA (including via remote access) |
| 2.17 | Check what assistance or support the supplier can give in respect of the customer’s obligations under the GDPR as a data controller |
Step 3 – Assess the supplier’s cybersecurity compliance
| No. | Customer action |
|---|---|
| 3.1 | Check the supplier’s technical and organisational security measures for the protection of personal data |
| 3.2 | Check whether the supplier has an approved information security policy in place |
| 3.3 | Check whether the supplier has procedures for information security incident management that include detection, resolution and recovery |
| 3.4 | Check whether information security relevant roles are identified, and responsibilities assigned within the supplier’s organisation |
| 3.5 | Check whether the supplier defines and implements a policy that addresses information security risks within the supplier’s relationships |
| 3.6 | Check whether the supplier defines and implements a policy that ensures that all functions have sufficient and appropriately qualified resources to manage the establishment, implementation and maintenance of information security |
| 3.7 | Check whether the supplier ensures that personnel with information security responsibilities are provided with suitable training |
| 3.8 | Check whether the supplier has a policy to control access to information and information processing facilities |
| 3.9 | Check whether the supplier has a policy to control the exchange of information via removable media |
| 3.10 | Check whether the supplier has a policy to manage the access rights of user accounts |
| 3.11 | Check whether the supplier has a policy – and deploy technical and organisational measures – to maintain the confidentiality of passwords and decryption keys |
| 3.12 | Check what measures the supplier has in place to prevent unauthorised access to their systems from outside their company |
| 3.13 | Check whether the supplier has a backup and disaster recovery policy and business continuity plans |
Step 4 – Assess whether any additional queries are necessary
| No. | Customer action |
|---|---|
| 4.1 | Consider whether any additional queries are necessary to address risks specific to the relevant products, services or solutions that are being procured |
Disclaimer:
This checklist is not exhaustive and there may be other matters to consider in the controller-processor relationship depending on the specific nature of the proposed arrangements with, and type of services being provided, by the relevant supplier.
Explanatory notes
Step 1 – Assess the details of the services and data processing
Step 1 of the checklist is designed to place the proposed agreement and your due diligence in context by drawing out the key aspects of the contractual relationship between the customer as controller and the supplier as processor. This will include what services the supplier is providing, what type of data they are processing and how they are processing it as well as the contractual framework under which the services will be provided, and where the data will be processed.
The purpose of Step 1 is for the customer to understand the background to the arrangements that they are assessing. For example, if the customer intends to engage a cloud-services provider, they will first need to understand what services or products the provider is offering, what kind of personal data they process, how and where they process it, how and where they store the personal data and what the contractual terms are (as this may have an impact on data retention, deletion, etc). Background setting is important in order to contextualise the rest of the assessment.
1.1 Obtain a description of the products, services or solutions and the data that is being processed
The description of the products, services or solutions and the data that is being processed should include the following:
- key processing activities of the supplier;
- the types and estimated volumes of data being processed;
- categories of data subjects to whom the processing relates; and
- whether special categories of personal data or data about criminal offences or convictions are being processed.
1.2 Check what the main data processing activities are that the supplier is undertaking
Examples of the types of data processing activities that a supplier might undertake include collecting data, profiling, automated decision-making, analytics, research and development, customer insight, merging, linking datasets, enriching data, and anonymising data, etc.
1.3 Check whether the supplier is a processor or controller of this data
In checking whether the supplier is a processor or controller, ask the supplier to provide confirmation for each data type and activity listed.
Please note that this checklist is mainly designed to assess customers entering into data processing agreements with suppliers who act as processors; however, it is important to clarify with any supplier if they envisage acting as a processor with respect to all personal data that they process as part of their relationship with the customer or if, in relation to some of the data, they envisage acting as a controller. Consider including contractual terms on the processing of the personal data, even if that part of the processing means the supplier is a separate independent or joint controller.
See further Checklist: Assessing whether an organisation is a controller or processor under the GDPR.
1.4 Check where the data is stored or recorded
If the data is stored in a cloud-based facility, check where the servers are located and who operates them. The customer should also obtain information about how and where the data is backed up and (if relevant) what transfer mechanism is used to comply with the UK GDPR.
1.5 Ensure you understand the terms of the contract with the supplier
Check what the term of the contract is, how long the data is retained by the supplier, what end-of-contract or services support is provided regarding the return or secure deletion of the customer’s data.
1.6 Check who has access to the data and with whom the data is shared
Check who has access to the data and who the data is shared with, for example, the supplier’s staff, offshore support teams, other group companies of the supplier or other third parties such as sub-processors.
1.7 Ensure you understand how the supplier intends to use personal data
For the customer to comply with their obligations as a controller under relevant data protection laws, they will need to fully understand how the suppliers (as processors) they contract with intend to use (or treat) any personal data they share with them.
In particular, check whether the supplier does any research and development/product or service improvement, etc, using customer data (whether personally identifiable or anonymised) and also check whether the supplier sells or commercialises customer data in any way (whether personally identifiable or anonymised).
This step is designed to dig deeper and understand whether the supplier intends to use shared personal data for any other purposes which may not be immediately apparent from the responses to the other queries above.
Step 2 – Assess the supplier’s compliance with data protection and privacy requirements
Step 2 of the due diligence process focuses on obtaining information about the supplier’s compliance with data protection and privacy requirements. The customer needs to investigate what technical and organisational security measures the supplier has in place to comply with relevant data protection requirements (ie, policies, procedures, compliance documentation, the appointment of a Data Protection Officer, registration with the relevant data protection authority in their jurisdiction, UK General Data Protection Regulation (UK GDPR) article 28 requirements (see below), processes in place to address security incidents, internal training, processes for investigations and enforcement actions, etc).
Article 28(1), UK GDPR requires that a controller of personal data shall only engage processors to process personal data on their behalf if those processors give:
‘sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject’.
For these purposes, it is important that the customer performs adequate due diligence on any suppliers that it wishes to engage to process personal data on its behalf (as a processor). This is an ongoing requirement and therefore should be repeated at regular intervals and in particular as processing operations evolve.
This checklist is intended to address this requirement and includes some additional questions that go beyond this, such as in relation to cybersecurity, cloud-computing and marketing services (to the extent relevant).
Other key parts of article 28, UK GDPR are focused on the mandatory terms that need to be included in contracts by controllers when they engage processors to act on their behalf, as well as other aspects related to the appointment by such processors of sub-processors.
See further How-to guide: How to ensure compliance with the GDPR.
2.1 Check how the supplier ensures compliance with applicable legislation and/or instructions (if supplier is a processor) with respect to the protection and processing of personal privacy data which may include, electronic communications, marketing etc
Verify whether and how the supplier ensures compliance with relevant data protection laws (including the EU GDPR, UK GDPR, Data Protection Act 2018, ePrivacy laws and the Privacy and Electronic Communications Regulations (PECR)), as applicable depending on the nature and jurisdictional scope of the products, services or solutions.
Confirm how the supplier can support the customer in complying with the customer’s obligations under data protection laws including, but not limited to; responding to data subject requests, notifying the customer if they reasonably believe an instruction may not comply with applicable law, giving all the relevant information if a personal data breach occurs, etc.
2.2 Check whether the supplier is registered with the UK Information Commissioner’s Office (ICO) or other data protection regulator
The customer should check if the supplier is registered with the ICO or any other data protection regulator. Confirm their registration number. If the supplier is not registered, ask them to explain why this is not required or not relevant to the products, services or solutions they are providing. In some cases, registration with the ICO (or other relevant data protection regulator) may not be necessary; however, the supplier should explain why this is the case.
2.3-2.4 Governance framework
As the customer has an explicit obligation under article 28 to choose an appropriate processor, the customer should take steps to understand the supplier’s governance framework. This means, for example:
- verifying if the supplier has named a DPO or another person who has been tasked with taking responsibility for the data protection and privacy aspects of the supplier’s organisation;
- checking the terms of the supplier’s data protection and related policies and procedures that are in place in their organisation, how compliance with these policies and procedures is monitored and how frequently are they reviewed;
- checking for the supplier’s adherence to any recognised industry accreditations, standards or approved codes of conduct; and
- uncovering any instances of prior non-compliance with data protection-related requirements, such as data breaches, contractual breaches or regulatory investigations (see ‘Investigations, complaints and requests’ and ‘Data breaches’ below).
This part of the checklist is intended to ensure that the customer verifies whether the supplier provides sufficient guarantees that they have implemented appropriate technical and organisational measures to ensure their processing meets UK GDPR requirements and standards. A supplier who is not able to provide compelling information in this section may have an immature data protection programme in place and their suitability should therefore be questioned.
2.5 Check whether data protection training (including on the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) or any other applicable ePrivacy rules for any marketing services) is provided to relevant supplier staff
While there is no specific GDPR obligation that mandates controllers to check the levels of training offered by processor organisations, best practice indicates that a controller should assess the level of data protection and privacy training that a processor provides its staff as part of ascertaining whether the supplier provides ‘sufficient guarantees’ as referred to in the notes to Step 2 – Assess supplier’s compliance with data protection and privacy requirements, above.
Untrained or improperly trained staff can put the processor (and by extension the controller) at risk of infringing the UK GDPR, for example, due to mishandling of personal data, mishandling of requests from data subjects, or data breaches caused by human error.
If data protection training is provided, ask the supplier to provide details (including on the frequency, format and content of training).
2.6-2.10 Investigations, complaints and requests
As the customer has an explicit obligation under article 28 to choose an appropriate processor, the customer should take steps to understand if the supplier has been subject to any relatively recent complaints, investigations or requests for access to data. The queries should cover any investigations, notices or enforcement from the ICO (or other data protection or industry regulator in their jurisdiction), any material breaches of contractual obligations with other customers relating to data protection or data security, and complaints from data subjects in respect of handling their personal data.
See also below further detail on certain steps in respect of investigations, complaints and requests.
2.6 Check whether the supplier has been the subject of any complaints or enforcement action regarding their data protection, ePrivacy or PECR compliance
Check whether the supplier has been investigated or received any complaints, notices or enforcement action from the ICO (or other data protection or industry regulator in their jurisdiction) regarding their data protection, ePrivacy or PECR compliance. If they have, ask the supplier to provide details (including the issues, outcomes and actions taken to avoid any repeat infringements).
2.7 Check whether there have been any material breaches of contractual obligations relating to data protection or data security
Check whether there have been any material breaches of the supplier’s contractual obligations to their customers relating to data protection or data security in the last three years. If so, ask the supplier to provide details (on a no-names basis and include any action taken to avoid any repeat breaches).
2.8 Check whether the supplier has received any complaints from data subjects in respect of the handling of their personal data
Check whether the supplier has received any complaints from data subjects in respect of the handling of their personal data in the last 12 months. If so, ask the supplier to provide further information.
2.9 Ask for details regarding the process for assisting or dealing with data subject requests
The customer should ask the supplier to provide details regarding the systems, processes and procedures they have when assisting or dealing with a data subject’s requests involving the customer’s personal data. How quickly is the supplier able to assist or respond?
2.10 Ask the supplier for details on responding to requests for access to data
Ask the supplier to provide details and examples of how they would deal with or challenge requests from law enforcement or government authorities for access to data (eg, under USA S702 FISA executive powers and laws).
2.11-2.13 Data breaches
Under the UK GDPR, processors have a number of independent statutory obligations relating to security and notification of personal data breaches to the controller. A customer (as controller) should ensure that any due diligence they perform on a supplier (as processor) includes establishing the supplier’s process for notification of personal data breaches to the customer. Specifically, if a processor becomes aware of a personal data breach, they must notify the relevant controller without undue delay (although the customer will often want to impose a specific timeframe on this in the processing contract). Note that a controller has 72 hours to notify the ICO or relevant supervisory authority from when it becomes aware of certain personal data breaches.
See further How-to guide: How to reduce the risk of a GDPR data breach.
A processor must also assist the controller in complying with its obligations regarding personal data breaches. During due diligence, the customer would want to establish the extent of the support that it can expect to receive from the supplier.
See also below further detail on certain steps with respect to data breaches.
2.11 Check what processes, procedures and plans are in place to deal with a data breach
The customer should check what processes, procedures and plans the supplier has in place to deal with a data breach. How quickly will the supplier notify the customer if a breach occurs? What information will the supplier include in the notification?
2.12 Check whether the supplier has experienced a security incident or data breach relating to personal data within their systems or control
Check whether the supplier has experienced a security incident or data breach relating to personal data within their systems or control in the last three years. Ask whether the supplier has reported a security incident or data breach to a customer/controller and/or the ICO (or relevant data protection authority in their jurisdiction). If the answer is yes, ask the supplier to provide details.
2.13 Check whether supplier's staff and subcontractors handling personal data are subject to confidentiality obligations and confirm that they are made aware of the contractual obligations to the customer
Check whether all the supplier’s staff and subcontractors handling personal data are subjected to contractual obligations of confidentiality and made aware of the supplier’s data protection obligations under their contract with the customer.
2.14-2.17 Processors’ obligations
Under the UK GDPR, processors have a number of direct statutory obligations in terms of how they engage and interact with their controllers (some of these are also reflected in the mandatory terms under article 28(3), UK GDPR, which are to be included in the contract when a controller appoints a processor). A controller (the customer) should ensure that any due diligence they perform on a supplier includes the provisions listed below.
- Controller’s instructions – a processor can only process the personal data on instructions from a controller (unless otherwise required by law). To do otherwise may render that processor a controller (article 28(10), UK GDPR).
- Sub-processors – a processor must not engage another processor (ie, a sub-processor) without the controller’s prior specific or general written authorisation. If authorisation is given, the processor must put in place a contract with the sub-processor with terms that offer an equivalent level of protection for the personal data as those in the contract between the processor and the controller (articles 28(2) and (4), UK GDPR).
- Security – a processor must implement appropriate technical and organisational measures to ensure the security of personal data, including protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access (article 32, UK GDPR).
- Notification of potential data protection infringements – a processor must notify the controller immediately if any of the controller’s instructions would lead to a breach of the UK GDPR or local data protection laws (article 33, second paragraph, UK GDPR).
- International transfers – the UK GDPR includes a prohibition on transferring personal data which applies equally to controllers and processors. As a result, a processor must ensure that any transfer outside the UK is authorised by the controller and complies with the UK GDPR’s transfer provisions (chapter V, UK GDPR).
- Data breaches – this obligation has been covered in the Data Breaches section above (articles 32 and 33(2), UK GDPR).
See also below particular points to note with respect to processors’ obligations.
2.15 Check whether the supplier is proposing to subcontract any part of the work which involves the processing of personal data
Check whether the supplier is proposing to subcontract any part of the work (involving the processing of personal data) that they will carry out on the customer’s behalf. If so, check the following:
- whether the supplier will obtain the customer’s prior consent or written authorisation for the use of sub-processors and allow the customer to object to any replacements;
- what due diligence the supplier will carry out on sub-processors;
- whether the supplier will have a contract in place with its sub-processors that includes data processing obligations and whether those clauses will be substantially the same as the clauses in the contract they have in place with the customer;
- whether the supplier can provide a list of proposed sub-processors that they intend to use initially for the customer’s pre-approval; and
- whether the supplier can provide the customer with copies of the relevant subcontracts or data processing agreements on request.
2.16 Check whether any of the customer’s personal data will be processed outside of the UK or EEA (including via remote access)
Check whether the supplier, or any third parties acting on the supplier’s behalf (eg, affiliates, group companies, etc), will be processing any of the customer’s personal data outside of the UK or EEA (including via remote access). If so, the supplier should confirm:
- locations and data flows; and
- how the supplier will fulfil the obligation of adequate protection in respect of the data to be transferred (eg, standard contractual clauses or binding corporate rules, transfer impact assessments, supplementary measures such as encryption, anonymisation or split processing, which will be used to mitigate the risks of access to personal data by foreign government authorities).
2.17 Check what assistance or support the supplier can give in respect of the customer’s obligations under the GDPR as a data controller
Check what assistance or support the supplier can give in respect of the customer’s obligations under the GDPR as a data controller regarding:
- security;
- data protection impact assessments and prior consultation with regulators; and/or
- provision of information demonstrating both parties’ compliance with the GDPR (including audit rights).
Step 3 – Assess the supplier’s cybersecurity compliance
Step 3 of the due diligence checklist will focus on the supplier’s technical and organisational security measures for ensuring that personal data is kept secure in accordance with the requirements under the UK GDPR. The questions will cover, for example, information security policies, security incident management, disaster recovery policy personnel training and technical and organisational measures.
The customer should be mindful of the nature of the services the supplier will be providing, what role data plays in the provision of these services, the quantity of data handled by the supplier and the supplier’s specific characteristics. The checklist may need to be adapted depending on each transaction’s specific features, the supplier’s level of technological sophistication, and the amount and sensitivity of the data that the supplier will be processing for the customer.
If the supplier is found to be not compliant or inadequate in terms of the cybersecurity measures it has implemented, the customer may either opt to not engage with this supplier or alternatively may require the supplier to improve or supplement the cybersecurity measures that they currently implement, or apply any other measure the customer considers appropriate for their relationship with the supplier. This will be a commercial matter for the customer and will depend on several factors, including their risk appetite, maturity of their procurement processes and market opportunities.
See also below further detail on certain steps with respect to cybersecurity compliance.
3.1 Check the supplier’s technical and organisational security measures for the protection of personal data
Check the details of the supplier’s technical and organisational security measures for ensuring that any personal data they process is kept secure in accordance with the requirements under the UK GDPR, as relevant to the products, services or solutions that they provide.
Ask the supplier to provide a list of any information security certifications, accreditations and registrations they hold (eg, ISO 27001 standards, SOC II or SOC III reporting, or PCI-DSS) and copies of any testing reports, such as penetration testing reports.
3.10 Check whether the supplier has a policy to manage the access rights of user accounts
Check whether the supplier has a policy to manage the access rights of staff and contractor user accounts that ensures access to data on a ‘need-to-know basis’ (including deactivation as part of offboarding procedures).
3.12 Check what measures the supplier has in place to prevent unauthorised access to their systems from outside their company
Check what measures the supplier has in place to prevent unauthorised access to their systems from outside their company, including virus and firewall detection and protection, and protection against malware, phishing and other attacks.
3.13 Check whether the supplier has a backup and disaster recovery policy and business continuity plans
Check whether the supplier has a backup and disaster recovery policy and business continuity plans. Either request a copy of this policy from the supplier or request that the supplier provides comprehensive details.
Step 4 – Assess whether any additional queries are necessary
4.1 Consider whether any additional queries are necessary to address risks specific to the relevant products, services or solutions that are being procured
If the supplier is offering specialised services (eg, marketing to consumers, cloud hosting, outsourcing, etc), the customer may need to include a set of specific queries to cover the particularities of their service offering. For example, if the customer is engaging a supplier as a marketing partner they may need to consider, for example, queries related to the UK GDPR or PECR compliance regarding sale of data lists (eg, SMS, email, etc), marketing campaigns and user marketing preferences. Some of these enquiries may include the following:
- check that the supplier’s processes and procedures for the sale of any lists of personal data via SMS or email are GDPR, ePrivacy law and PECR compliant; and
- check that the supplier’s processes and procedures in respect of any SMS or email marketing campaigns are compliant with the GDPR, ePrivacy law or PECR.
Other questions may be relevant and necessary if the supplier operates in a different sector.
Additional resources
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to ensure compliance with the GDPR
How to comply with data processing principles under the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the UK
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with an ICO dawn raid
Checklists:
GDPR compliance self-assessment audit
Lawful processing of personal data under the GDPR
Assessing whether an organisation is a controller or processor under the GDPR
Obtaining and managing consent under the GDPR
What to include in your organisation’s privacy notice
Data subject access rights under the GDPR
When and how to appoint a data protection officer
Making an international transfer of personal data under the UK GDPR
Complying with cookie requirements under the PECR and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.