Example GDPR ready processor terms

One of the larger tasks facing organisations as they prepare for the new EU General Data Protection Regulation 2016/679 is how to tackle data governance and compliance controls in the supply chain.  This is often the Achilles heel for compliance risk and the very prescriptive requirements of GDPR will require a thorough review of due diligence, contracting and ongoing contact management and audit practices.

GDPR imposes stringent requirements for controllers appointing processors, including prescribing various matters which must be stipulated in a contract or other legal act (Article 28).  The European Commission and supervisory authorities have the power to adopt standard contractual clauses to meet these new requirements.  However, there is currently no example template and there has already been a proliferation of drafting in the market as different organisations try to tackle the sizeable "re-papering" challenge to ensure supply chains are GDPR ready for 25 May 2018. 

The members of the data work-stream of the International Regulatory Strategy Group therefore thought it would be helpful to develop a suggested set of processor terms to help inform organisations of the new requirements and how they might be addressed.  Although the membership of the working group were largely from the financial services sector, it is hoped that the drafting proposed may also be of assistance to controllers and processors across other sectors.

Vivienne Artz, Managing Director and Global Head of Privacy Legal and Head of International for the Intellectual Property and Technology Law Group, Citi, (Chair of the IRSG Data work stream) commented:   “As the deadline for the implementation of the GDPR approaches, firms still have much work to do to prepare for its new requirements. This addendum relating to Article 28 (Processor Terms) provides a valuable contribution to this work, in the absence of official guidance in this area.   We are extremely grateful to DLA Piper and Clifford Chance for their work in producing this example template and we hope that it will assist firms in the financial services sector and beyond as they prepare for the GDPR May 2018 deadline.”

For further information or advice on tailoring these template terms to your organisation, please contact us by email dataprivacy@dlapiper.com, or get in touch with your usual DLA Piper contact.