Data protection contracts - What tends to be missing and what to do about it

The General Data Protection Regulations (GDPR) has required organisations to adapt from relying on vague data protection clauses that were in many cases included by default in services agreements to the stringent requirements of Article 28 regarding controller-processor arrangements.

Organisations have also been using controller-to-controller and controller-to-processor Standard Contractual Clauses to legitimise most of their transfers of personal data to international organisations or third countries. Nowadays, long and detailed data protection contracts are commonplace. However, important inclusions are still left out of such contractions, leaving organisations vulnerable to regulatory action.

Rocio de la Cruz, principal associate in our Data Protection team, recently wrote an article for PDP Journals explaining what needs to be included in the various types of data protection contracts, based on the positions of the European Data Protection Board and the UK Information Commissioner's Office with regards to joint controllers, controller to processor transfers of data and international transfers of personal data.

You can read the article here.