Identify contracts that entail data flows with other entities
Compare them with GDPR art. 26 & 28 and report any missing parts
Follow contractual clauses, including confidentiality commitments
Almost every organization has relationships with employees, associates, clients, contractors and suppliers. Often, it cooperates with other entities, such as within a capital group or public institutions structure. Most of such relationships involve data sharing. Employees and associates work as a part of the organization, and external entities are usually separate controllers. Sometimes, your organization is a joint controller, and sometimes is a processor or uses them to make processing more effective (for instance by using external server, archive, IT support, cloud computing, outsourcing etc.).
Data sharing to external entities has similar legal basis to data processing (GDPR art. 6 or 9), while using a processor or acting as a joint controller requires signing a specific contract to govern data flows and security issues.
A controller-processor contract should contain all elements listed in GDPR art. 28, including processing subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, processor’s obligations and controller’s rights.
Joint controllers agreement is required by GDPR art. 26 and requires to transparently determine responsibilities of each joint controller, including coordinated response to data subject requests. Inform data subjects of all joint controllers and of the essence of agreement between them.
Other contracts also cover confidentiality and data protection issues – make sure you know them well and report any lack of clarity. Remember that to implement contracts, you process data both of your contractor or client and its representatives, staff members and other persons involved. Data processing principles protect them same way as other data subjects.
Table of contents:
Self-implement GDPR in 16 steps: