-
Identify contracts that entail data flows with other entities
-
Compare them with GDPR art. 26 & 28 and report any missing parts
-
Follow contractual clauses, including confidentiality commitments
Almost every organization has relationships with employees, associates, clients, contractors and suppliers. Often, it cooperates with other entities, such as within a capital group or public institutions structure. Most of such relationships involve data sharing. Employees and associates work as a part of the organization, and external entities are usually separate controllers. Sometimes, your organization is a joint controller, and sometimes is a processor or uses them to make processing more effective (for instance by using external server, archive, IT support, cloud computing, outsourcing etc.).
Data sharing to external entities has similar legal basis to data processing (GDPR art. 6 or 9), while using a processor or acting as a joint controller requires signing a specific contract to govern data flows and security issues.
A controller-processor contract should contain all elements listed in GDPR art. 28, including processing subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, processor’s obligations and controller’s rights.
Joint controllers agreement is required by GDPR art. 26 and requires to transparently determine responsibilities of each joint controller, including coordinated response to data subject requests. Inform data subjects of all joint controllers and of the essence of agreement between them.
Other contracts also cover confidentiality and data protection issues – make sure you know them well and report any lack of clarity. Remember that to implement contracts, you process data both of your contractor or client and its representatives, staff members and other persons involved. Data processing principles protect them same way as other data subjects.
Next: GDPR staff training 15/17 – what to include in & how to apply contracts?
Table of contents:
GDPR staff training 1/17 – preview
GDPR staff training 2/17 – how do you approach data protection right now?
GDPR staff training 3/17 – why protect data at all?
GDPR staff training 4/17 – what are personal data?
GDPR staff training 5/17 – what is personal data processing?
GDPR staff training 6/17 – who processes personal data?
GDPR staff training 7/17 – how personal data should be processed?
GDPR staff training 8/17 – what are your roles & responsibilities?
GDPR staff training 9/17 – why the need to know principle is so important?
GDPR staff training 10/17 – what difference can you make?
GDPR staff training 11/17 – how do you approach data protection right now?
GDPR staff training 12/17 – why provide information on data processing?
GDPR staff training 13/17 – what is the sense of consents to data processing?
GDPR staff training 14/17 – what to include in and how to apply contracts?
GDPR staff training 15/17 – what to include in & how to apply contracts?
GDPR staff training 16/17 – how to handle data subject requests?
GDPR staff training 17/17 – wrap-up
Self-implement GDPR in 16 steps:
Complete data protection system – A-Z course & templates
