Data protection contracts - What tends to be missing and what to do about it

18 September 2020

The General Data Protection Regulations (GDPR) has required organisations to adapt from relying on vague data protection clauses that were in many cases included by default in services agreements to the stringent requirements of Article 28 regarding controller-processor arrangements.



Organisations have also been using controller-to-controller and controller-to-processor Standard Contractual Clauses to legitimise most of their transfers of personal data to international organisations or third countries. Nowadays, long and detailed data protection contracts are commonplace. However, important inclusions are still left out of such contractions, leaving organisations vulnerable to regulatory action.

Rocio de la Cruz, principal associate in our Data Protection team, recently wrote an article for PDP Journals explaining what needs to be included in the various types of data protection contracts, based on the positions of the European Data Protection Board and the UK Information Commissioner's Office with regards to joint controllers, controller to processor transfers of data and international transfers of personal data.

You can read the article here.


NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.

Author(s)

Download or print PDF