The ICO has opened a consultation on processors - controllers contracts. As a useful starting point the ICO has published a checklist that should help most to verify if their current contractual documents are fit for the GDPR.

A check list can be found as an attachment to this post, the headlines are:

  • Inclusion of compulsory details: subject matter and duration, category of data, ...
  • Inclusion of compulsory terms about the obligations of the processors as stated in the regulation: article 28, assistance in dealing with data subject requests, ...
  • Direct responsibilities of the processor: data breaches, DPO, ...
  • References to compensation, fines and penalties

The ICO consultation (now closed)

The CNIL (French ICO) itself went straight to giving example of clauses: CNIL template.

Comparing the checklist, the CNIL sample clauses and the GDPR text itself it is unsurprising that there is not much difference. Looking at the CNIL document, the clauses are fairly standard and should be seen in most contracts already today (audit, security, data transfers, ...). The GDPR just make these a little more formal and guided.

Not much to make of this then. Practically speaking if the controller - processor relationship change to include different or more type of personal data then this should be requiring a re-papareing of the contract. This could be tedious without some sort of automation.

Next Post Previous Post