Context:
The GDPR introduces a requirement to have specific elements included in data processing contracts. When processing personal information there should be a controller processor contract in place – especially where there is a separate data controller and processor.
How to:
Ensure that you have contracts in place with all those organisations that you share personal information with. These could be partners, suppliers, IT software providers etc
As an immediate step, check that these contracts define the nature of the the organisation/relationship i.e. who is a data controller and who is a data processor.
Check the required elements of the data processing contract are included.
Contracts are an area where if you have any doubt at all it is best to seek legal advice.
Common Scenarios:
Procuring new services from suppliers
- As part of your buying/procurement process you need to ensure that any proposals which include the processing of personal information are not only GDPR compliant themselves but also meet the terms of contract that you need to comply with the regulation.
Existing suppliers and partners:
- Review your current agreements to check if they have the required elements. It is very likely that they will not and therefore an update to these terms will be needed. Supplier and partners should see it as good business that your organisation is making efforts to be compliant and will be supportive of the required changes.
References:
- GDPR Recitals: 81, 109
- GDPR Articles: 28, 29,