Shorter Reads

New EDPB guidelines: copying and pasting GDPR provisions into your commercial agreements isn’t enough

1 minute read

Published 15 September 2020

Share

Key information

The European Data Protection Board (EDPB) has published a set of draft guidelines clarifying the key GDPR concepts of controllers and processors by providing specific examples and helpful flowcharts to help apply these concepts in practice. Buried within these guidelines is the paragraph quoted below, which has significant implications for day-to-day commercial contracts.

Under Article 28 of the GDPR, where one party (Party B) is appointed by another (Party A) to provide certain services that requires Party B to process personal data on behalf of Party A (which is the data controller), certain clauses are mandatory in the commercial contract between those parties (or in a separate data processing agreement).

Where Party A’s processing activities are minimal and are considered low-risk, it is common for the relevant agreement simply to repeat the provisions of Article 28 without further elaboration.

However, the EDPB states in the guidelines that simply restating the provisions of Article 28 without any additional detail is not sufficient. In particular, the EDPB states that the contract or separate data processing agreement required by Article 28 also needs to include information regarding the security measures to be adopted by the processor (Party B in the example above), as well as providing for a regular review of these measures.

The level of detail required is ‘such as to enable the controller to assess the appropriateness of the measures pursuant to Article 32(1) of the GDPR’. This requires both the controller (Party A) and the processor (Party B) to take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of those individuals whose data is processed.

The draft guidelines remain open to public consultation until 19 October 2020. Any interested parties are encouraged to contribute to the consultation by providing comments on the guidelines via the link below.

https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en

Related latest updates
PREV NEXT

Arrow Back to Insights

Shorter Reads

New EDPB guidelines: copying and pasting GDPR provisions into your commercial agreements isn’t enough

Published 15 September 2020

Associated sectors / services

  • Business
  • Data Protection

The European Data Protection Board (EDPB) has published a set of draft guidelines clarifying the key GDPR concepts of controllers and processors by providing specific examples and helpful flowcharts to help apply these concepts in practice. Buried within these guidelines is the paragraph quoted below, which has significant implications for day-to-day commercial contracts.

Under Article 28 of the GDPR, where one party (Party B) is appointed by another (Party A) to provide certain services that requires Party B to process personal data on behalf of Party A (which is the data controller), certain clauses are mandatory in the commercial contract between those parties (or in a separate data processing agreement).

Where Party A’s processing activities are minimal and are considered low-risk, it is common for the relevant agreement simply to repeat the provisions of Article 28 without further elaboration.

However, the EDPB states in the guidelines that simply restating the provisions of Article 28 without any additional detail is not sufficient. In particular, the EDPB states that the contract or separate data processing agreement required by Article 28 also needs to include information regarding the security measures to be adopted by the processor (Party B in the example above), as well as providing for a regular review of these measures.

The level of detail required is ‘such as to enable the controller to assess the appropriateness of the measures pursuant to Article 32(1) of the GDPR’. This requires both the controller (Party A) and the processor (Party B) to take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of those individuals whose data is processed.

The draft guidelines remain open to public consultation until 19 October 2020. Any interested parties are encouraged to contribute to the consultation by providing comments on the guidelines via the link below.

https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en

Associated sectors / services

  • Business
  • Data Protection

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):



    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up

    Find out about Business

    Find out about Dispute Resolution

    Find out about Individuals & Families

    Find out about Real Estate

    We are Collyer Bristow - The law firm for those that
    value individuality, creativity and collaboration.

    Legal & Pricing info Regulatory InformationAccessibilitySitemapPricing and service information

    Listen to our latest podcast: No notice, no claim? (Drax v Scottish Power)

    Read our latest article: Election 2024: Domicile, Inheritance Tax, and change promised by the new Labour government

    Watch our latest video: What is a nuptial agreement? A full guide to everything you need to know about pre and post nups

    Read our latest article: Election 2024: Initial comments on potential tax changes

    Read our latest article: Labour wins UK general election: What changes are coming for employers?

    ExpandNeed some help?Toggle

    < Back to menu

    I have an issue and need your help

    Scroll to see our A-Z list of expertise

    Get in touch

    Get in touch using our form below.



      Business Close
      Private Wealth Close
      Hot Topics Close