Making your contracts GDPR compliant: a complete guide

Contracts are essential for GDPR (General Data Protection Regulation) compliance.

Whether you’re dealing with employees, third parties or organisations outside the EU, a written agreement of data protection practices is the only way to make sure everyone is on the same page and to protect you in the event of a security incident.


Contracts with third parties

When you outsource data processing activities to another organisation which is acting as the data processor, you must  enter into a data processing agreement which  includes certain contractual statements in a data processing agreement

Data controllers are responsible for their own compliance as well as that of processors. If the processor  suffers a security incident, you must be able to demonstrate that you had the necessary safeguards in place.

If you don’t have a contract, then you haven’t fulfilled your responsibilities under the GDPR and can be punished regardless of how the breach occurred.

If you have a contract but the third party failed to meet its obligations, it may be liable to pay damages or other fines. This is also the case if the third party sub-contracted some or all of the processing activities.

Contracts must set out:

  • The subject matter and duration of the processing;
  • The nature and purpose of the processing;
  • The type of personal data and categories of data subject; and
  • The controller’s obligations and rights.

Contracts with non-EU organisations

Under the GDPR, organisations can only share EU residents’ personal data outside the EU if:

  • There is an adequacy decision, as per Article 45 of the GDPR;
  • You are using SCCs (standard contractual clauses), as per Article 46; or
  • They rely on BCRs (binding corporate rules), as per Article 47.

SCCs are legal contracts that contain rights and requirements for the data exporter, data importer and data subjects.

They are suitable when organisations are sharing data with non-EU-based organisations in a straightforward manner.

BCRs, by contrast, are more suitable for multinationals that conduct ongoing or complex data transfers that would otherwise be tied up with hundreds of SCCs.

In terms of Brexit, both the UK and EU hope to complete the adequacy decision process before the end of the transition period on 31 December 2020.

If an adequacy decision isn’t reached by then, UK organisations that process EU residents’ personal data will need to ensure SCCs or BCRs are in place to ensure that their data processing remains lawful.


Employee contracts

Data protection requirements are slightly different when it comes to employees. Instead of including rules in their contracts, organisations should create a data privacy notice that outlines what employees must do to comply with the GDPR.

This document provides information on the way your organisation processes the personal data of customers and employees, and overrides any invalid data protection clauses in existing contracts.

Your data privacy notice should state:

  • The purposes that the organisation processes the employee’s personal data;
  • The lawful basis for processing that information;
  • How long the information will be kept; and
  • The employee’s data subject rights.

Looking for help drafting contracts?

Reviewing and updating your contracts and other data protection documentation is fraught with risk. A mistake or omission could be the difference between GDPR compliance and a hefty fine.

If you want to avoid those dangers, take a look at our GDPR Contract and Legal Services package.

Our specialist legal and privacy team, led by experienced data protection officers, lawyers, barristers and information security experts, will help your organisation create:

  • Privacy notices and policies;
  • HR documentation;
  • Commercial contracts with suppliers, customers and employees; and
  • International data transfers.