How do I bring my contracts into compliance with GDPR?

One of the main obligations of General Data Protection Regulation is to oversee the relationships between data controllers and subcontractors, if personal data is transferred between them.It is therefore necessary to audit existing contracts, to ensure that the appropriate clauses are there. Otherwise, an amendment must be signed to incorporate them. Otherwise, an amendment must be signed to include them. We can assist you in verifying your compliance with GDPR and in drafting or negotiating amendments to your contracts if necessary. There are specificities in the event of transfer of personal data outside the European Union.

What are the clauses that should be included in my DPA?

Article 28 of the RGPD indicates the information that must appear in all contracts between data controllers and subcontractors:

• The obligation of the subcontractor to comply with the instructions of the data controller, and the prohibition of processing the data in the absence of instructions.
• The obligation to respect confidentiality.
• Details of the security measures to be implemented.
• The conditions for using a subsequent subcontractor.
• The assistance to be provided by the subcontractor to the data controller, in the event of a request for the exercise of his rights by a natural person.
• The assistance provided by the subcontractor to the data controller to comply with its obligations under the GDPR.
• The obligation to delete or return personal data.
• The provision of all useful information to the data controller by the subcontractor.

It is therefore necessary to detail very precisely the extent of the obligations of each party.

In the event of an inspection by the CNIL, this information must be presented on request.

Non-compliance with these obligations is likely to justify the implementation of the sanctions provided for in the GDPR.

What resources are needed to bring contracts into compliance with GDPR?

The main resource remains the CNIL site.

Standard subcontracting clauses have been drawn up by CNIL lawyers and are available at the following address: https://www.cnil.fr/fr/sous-traitance-exemple-de-clauses

They can adapt to most processing of non-sensitive personal data and offer various options for distributing responsibilities and commitments.

It is therefore necessary, at the very least, to draft an amendment to your contracts to incorporate these elements.

The specificities of contracts governing the transfer of personal data outside the European Union

If the subcontracting relationship involves the transfer of personal data outside the European Union, this contract may be subject to specific conditions.

The European Commission has provided that in this case, and unless the third party established outside the EU is part of a country with personal data protection considered adequate, it is necessary to conclude standard contractual clauses.

This is not necessary for service providers based in the United States if they are certified. Privacy Shield.

They must be completed and signed on the model provided by the European Commission, and available on the CNIL website: https://www.cnil.fr/fr/les-clauses-contractuelles-types-de-la-commision-europeenne

Any modification of these standard contractual clauses is subject to the prior agreement of the CNIL.