Context:
It should be made clear up front that contracts are an area where specific legal advice should be sought. The detail given below gives an insight into the requirement stated within the GDPR. It will also be useful as a starting point to check the status of your current contracts.
Considerations:
In any instance where your organisation is processing personal data, check the contractual arrangements that are in place. Pay particular attention to where information is passed such as partners, suppliers, software and cloud services as these are not always overt.
How to:
The required contractual elements are quite extensive. The list below indicates the required areas and will serve as a basis for your checks:
- Confidentiality of processing
- Responsibilities around data breach
- Requirements for Data Protection Impact Assessments
- How data will be erased or recovered
- Infringement
- Measures to be implemented and how they will be tested
- Details of any onward processing
- Availability of audits/reports
- Details of data transfers
- Technical measures such as encryptions and provisions for data accuracy
The existence of the above areas in themselves does not prove compliance with the regulation. If you have any doubt you should seek legal advice on the content/suitability of your contractual position.
References
- GDPR Recitals: 32, 43, 60, 61, 63, 68, 81, 109,
- GDPR Articles: 7, 13, 28, 29, 32
