If third parties process personal data on behalf of your company, you will in almost all cases, with few exceptions, require a contract for commissioned processing pursuant to Art. 28 DSGVO. The practice of our consulting experience shows that commissioned processors often submit a contract proposal that contains significant disadvantages for your company. Guiding questions for the review of contracts under Art. 28 GDPR are:
- Is the contract complete and free of loopholes?
- Is detailed documentation of the technical-organizational measures of the processor part of the contract?
- Do regulations exist to the detriment of the controller, for example excessive and unreasonable cost regulations?
- Is personal data processed outside the EU and, if so, is it legally protected?
- Are the regulations for safeguarding data subject rights sufficient for the fulfillment of all legal obligations?
- Are there sufficiently clear and unambiguous regulations and information processes in the event of a data breach?
Clear contracts protect
If all of the above guiding questions are answered to your satisfaction, then nothing stands in the way of concluding an Art. 28 contract. Otherwise, the only solution is the laborious path of renegotiation and, if this does not lead to success, a change of provider.
Missing contracts according to Art. 28
are a reason for the authorities to impose fines. Don’t let it get that far. When we take on a contract, we check all processes for the need to conclude Art. 28 contracts, sift through any existing contracts for contractual deficiencies and suggest improvements on your behalf. In most cases of this kind, we succeed in significantly reducing your risks.