We, at Letslaw, keep our commitment to inform of how the entry into force of the new General Data Protection Regulation is affecting the drafting of new contracts. This regulation entails many novelties and we have already talked about how to implement it and of the differences with the LOPD. Let us now have a look at new contractual developments.
Agreement between Controller and Processor
The new General Data Protection Regulation (hereafter, the GDPR) provides that the relationship between the data controller and the data processor must be governed by a contract or legal instrument containing, in general: (i) the purpose, (ii) the duration, (iii) the nature of the processing, (iv) the purpose of the processing, (v) the type of data personal processed, (vi) the categories of data subjects and (vii) the rights and obligations of the data controller.
The principle of accountability has been reinforced by the European reform and has become one of its main principles. This has entailed a more thorough monitoring of the relationship between the data controller and the data processor.
Said relationship is subject to a more detailed study under the GDPR, which covers a series of minimum indispensable contents, further to those already mentioned.
- The data controller must detail the tasks of the data processor and the latter must comply strictly with said instructions.
- The confidentiality obligations of all individuals authorized to access the data must be included.
- The appropriate measures needed to guarantee the security of the processing by the data processor must be explained.
- An express reference to the permission or prohibition to resort to subprocessors must be included. However, said subprocessing will only be possible with the consent of the data controller and subject to the signature of an agreement.
- The data processor must assist the data controller as far as possible in connection with any obligations resulting from the exercise of their rights by the users.
- The data processor must assist the data controller in connection with the fulfillment of any obligations regarding security and impact evaluations
- The agreement must cover the consequences of the decision to terminate the contractual relationship, particularly if the data processor will have the obligation to erase or return the data, as established under national or European law.
- The data processor must provide to the data controller any information which may be necessary for it to comply with its obligations.
The Regulation provides for the possibility that both the European Commission and the national supervisory authorities draft standard clauses. These models are voluntary and may be used as a basis to simplify legal transactions and prevent penalties. The Spanish Data Protection Agency has followed suit and published its contract guide with guidelines for writing agreements between data controllers and processors adapted to the new GDPR.
We, at Letslaw, accompany our clients in the process of adapting their contracts to European regulations. We are specialized in data protection and have the professional competence and experience required by the new Regulation.
If you need more information or have any doubts, please contact us at firstname.lastname@example.org or by calling 0034.914 323 772.