Guidelines for GDPR Compliance in Third-Party Contracts


The last few years have demonstrated that personal data is not merely one of the most valuable assets for IT companies but can also be an object of misuse. Examples of misuse vary from users’ data sale without informing them to data breaches due to lack of protection measures. All such cases have led to the rise of the strict national regulations in many countries. Privacy does matter, and not only for natural persons but for every company that operates with personal data.


Complying with personal data protection requirements is vital since it helps build the company’s goodwill in relationships both with clients and partners. On the other hand, major data protection violations may lead to the company’s responsibility. This includes imposing fines (up to 4% of the total turnover) or even suspension of activities that concern the personal data use by the competent government body.

The recent European legislation, which regulates flow of the personal data of EU residents, is REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 April 2016 (General Data Protection Regulation). Among the requirements regarding the collection, use, and protection of the personal data in business activities, the European Regulation imposes restrictions on sharing collected data with third parties, whether for own purposes or for third party’s benefit.

Almost every contract concerns some amount of personal data. For example, a contract may contain officer’s contact information, a company is going to share the collected e-mail addresses for obtaining e-mail marketing services or sell the collected data for third party’s own marketing. Depends on the purpose, amount, and nature of the concerned data, GDPR requirements will vary. The common condition for the personal data transfer, however, will be an appropriate documenting of this fact.

Taking a few simple steps will help the company fulfill its obligations in contracts with third parties and mitigate risks regarding third parties’ data misuse.

First, you must decide if the potential contract involves personal information. What falls under the definition of personal information?

Personal data under the GDPR is deemed as any information that is relevant to a particular natural person and is linked or can be linked to this person by the personal identifiers.

These personal identifiers can be a person's name, identification code, address of residence, data about (including geodata and some kinds of IP-addresses) or specific features of a person (genetic information, physical parameters, economic, cultural or social identity).

Any data, collected about a natural person and connected with personal identifiers (or that can be connected), will be considered as a personal.

For example, employee profile, contact information, customer database, information about user’s activity on a website, financial activity and so on. As long as this information is connected or can be connected either to a person's name, his location or other information from the list above, it is going to be personal data.

However, the potential contract doesn’t have to meet the data protection requirements if it involves a transfer of aggregated statistical information, which will not allow to distinguish the information about a separate natural person from it.

Therefore, if the contract deals with any of the abovementioned information, and this information is identifiable, it is important to comply with personal data protection legislation.

Second, define whether the use of personal data falls under the jurisdiction of the European Union.

The European data protection legislation so far has one of the broadest territorial scopes. The GDPR will apply to the potential contract if one of the following is relevant:

  • One of the contracting parties is established inside the European Union. At this point, the mere fact that the legal entity is registered under the laws of the EU country will not be sufficient. The office, which makes the decision regarding the contract and personal data transfer, must be in fact located in one of the EU countries; or
  • The involved personal information was collected because of the offering of goods and services to the EU citizens (or other people, who permanently live in the EU) or the intentional monitoring of the EU citizens information. The offering or monitoring as a trigger for the collection are the core conditions. That means that the unintentional collection of the personal information about EU citizens will not fall under the EU jurisdiction.

Third, determine the role of the company in the personal data exchange.

The next and the most important step in the EU data protection compliance is understanding the company’s role in the data exchange. The scope and nature of the obligations will depend on the company’s intentions regarding the concerned personal information.

There are two roles for each party in the contract: controller and processor. However, these roles are not conflicting – e.g. both parties can be personal data controllers. Generally speaking:

  • The Controller determines its own purposes for the personal data use, whether it is marketing, training the artificial intelligence or for statistical purposes.

The company will be a controller of the personal data if:

  1. It provides the data to the contracting party, whether for the third party own purposes or to process the data on the company’s behalf (e.g. to the payroll company); and
  2. It obtains personal information to use it for the company’s own purposes (e.g. for its own marketing) or upon its own request (e.g. to register employees of the contracting party for the company’s event).
  • The Processor uses obtained data on behalf of the controller and only for the controller’s purposes.

The company is going to be a processor if it obtains the data to process it on the contracting party’s behalf (e.g. data storage, e-mail distribution, marketing analysis);

There might be a myth that the software developer company will be a data processor for any company, which uses its software for the data processing. However, it’s not. In such case, the processing software is deemed to be a tool for processing. The company, which uses this tool for the data, will be either a controller or processor.

Based on this classification, all data relationships in agreements can be divided into three groups:

  • Controller-Processor relationships – the type of the agreements where the controller determines scope, nature, and purposes of the processing. The controller provides data to the processor and he processes the data on the controller’s behalf. The most common controller-processor relationships are payment services, cloud storage, and email newsletters’ distribution;
  • Controller-Controller relationships – this means that each contracting party has its own purposes in the data exchange. If the company sells its customers data to third parties, this is a controller-controller agreement, since each party processes the data on its own behalf; and
  • Mixed relationships – in many cases, the parties’ roles are mixed. That means that the contracting party can be a controller for one type of data (or purpose) and a processor for another data under the same agreement. In such case, it is vital to determine the exact role of the company in each separate data transfer. E.g. A company shares its data with the analytics service provider for the analytics services, and the provider may use the data for its own marketing or research purposes. The provider will be a processor in providing analytics services, while a controller for its own marketing/research.

Although the classifications seem to only complicate things, this will help to be certain about the company’s rights and obligations regarding the transferred data. Nevertheless, the GDPR requirements vary depending on the role of the company.

Finally, the GDPR requirements themselves. What must be met when the company concludes the contract?

  1. The lawful basis for the transfer

Before sharing the collected personal data, the company should ensure it has a legal basis for the transfer. Did the data subject allowed the transfer of his/her data to third parties?

A consent is not the only legal basis, however. GDPR requires one of the six lawful bases to make any operation with the data. These are:

  • Subject’s specific consent to do so – this one is required in data sell agreements or in any transfer that is not covered by the other bases;
  • Processing (transfer) is necessary for the performance of a contract with the data subject – this one is suitable for the controller-processor relationships and does not require additional consent;
  • Legitimate interest of the company – fairly the trickiest basis. The data transfer under the legitimate interest can only be deemed if the data subject can really expect such transfer;
  • Processing (transfer) is necessary for company’s legal obligations;
  • Processing (transfer) is necessary for protection of the subject’s vital interests; and
  • Public interest or competent authority’s request.
  1. Data protection agreements

Although it is not obvious, the appropriate documentation of data transfers is vital for any data controller. For example, data protection agreements will be a subject of examination for a supervisory authority, if it starts an investigation of the company. During the investigation any data protection authority examines each contract of a company with third parties that process the collected personal data, not only company’s Privacy Policy or other internal documentation.

The data protection cannot be documented as just another boilerplate clauses in arrangements between parties. Rather, it must be separate and specific agreements (or addendums to the principal agreement).

If the company or the contracting party is a processor, there must be a Data Processing Agreement (controller-processor agreement), which stipulates purposes, obligations, secure processing, and other conditions for the data processing (mentioned the below paragraphs).

If the company and the contracting party both are controllers, there must be a Data Protection Agreement (controller-controller agreement).

If there is a transfer of personal information to the non-EU (EEA) country (no matter on which side), “standard contract clauses” agreement must be concluded, to ensure the safety of the data outside the EU. This agreement ensures that the GDPR requirements are going to be relevant regardless of the national legislation.

  1. Data protection clauses

If the amount of the personal information will be limited only to the requisites in the contract or it is uncertain how much data are going to be involved, the contract must stipulate the security of the information, ensure the purpose limitation and compliance to other requirements that are mentioned below. As an alternative, these requirements can be mentioned in the Non-Disclosure Agreement.

  1. Data security and confidentiality

Both controllers and processors must ensure the secure storing and processing of the information, which include:

  • If appropriate and possible, storing of the personal data separately from other data;
  • Appropriate technical measures such as pseudonymization, encryption, use of security certificates (SSL) and secure communication protocols (HTTPS), if appropriate; and
  • Limited access to the obtained personal data. Only authorized persons and only in purposes of the agreement must have access to the data. In case the company provides the data to the processor, processor’s employees (or other persons authorized to process on his behalf) shall be under an appropriate statutory obligation of confidentiality.
  1. A person responsible for the personal data

Both controllers and processors must mention in the contract a special person on each side, who can be addressed for any issues regarding the personal data. This person must control the use, security, deletion, and rectification of the personal data.

  1. Purpose limitation

The purposes of the personal data use must be clearly set out in the agreement:

  • If the company is a processor under the contract, it must use the personal information on behalf of the contracting party and only for purposes that are mentioned in the contract, on documented instructions of the controller only; and
  • If the company is a controller, it must use the data only for those own purposes that were specified in the contract.
  1. Deletion, return and rectification

Some data subjects can request the controller to delete or correct the information about him/her. If this information was transferred during the agreement, both controllers and processors must delete, return or rectify the data which they are processing. Also, the personal data must be deleted after it is no longer necessary for the purposes of the contract. However, the legal obligations to keep the personal information can be an exception to these rules.

  1. Cooperation and assistance

Another important issue to stipulate in agreement between the parties is assistance of processor or controller receiving the data in data controller obligations. The question of cooperation and assistance divides in two groups of obligations:

  • Data subject requests. Who is going to answer the inquiries? The parties can decide to process requests jointly or put this obligation on the main (only) controller. Nevertheless, the receiving party and all involved third parties shall be bound to assist the data controller with the data subject requests; and 
  • Supervisory authority inspections. It is reasonable to document the obligation of receiving party to inform the data controller should any inspection come. In such case, the contracting parties, as well as all engaged third parties shall cooperate and jointly provide full necessary information regarding the contracting processing activities, including the data protection/processing agreements themselves.  
  1. Transfer to the third parties and third countries

Both controllers and processors cannot transfer the personal data to the third parties or to the third countries unless otherwise specified in the contract or the company has obtained a consent from the disclosing party. Anyway, all third parties that receive the data shall uphold the same level of obligations the contracting parties have regarding the concerned information.

Furthermore, the company shall have appropriate safeguards to transfer the data to the third country. One of such safeguards was mentioned in paragraph 1 – this is a Standard contract clauses document. The appropriate safeguards for the transfer within the corporate group are the internal binding corporate rules or the code of conduct. See more about the international data transfer in Chapter 5 of the GDPR.

  1.  Data breach notification
  • If the company is a processor: the company must inform the contracting party about the personal data breach within 24 hours from the moment it becomes aware of it;
  • If the company is a controller and the contracting party is a processor: the company must be informed by the processor about the personal data breach on the processor’s side without undue delay AND the company must inform the supervisory authority of the relevant EU country within 72 hours from the moment it becomes aware of it. In case that the data breach carries risks to the rights of the data subjects, the company must also inform data subjects; and
  • If both the company and the contracting party are controllers: the parties must inform each other about the personal data breach on its side within 24 hours from the moment the party becomes aware of it AND must inform the supervisory authority of the relevant EU country within 72 hours. In case that the data breach carries risks to the rights of the data subjects, the breached party must also inform data subjects.

Why the Regulation matters.

Obeying the aforementioned requirements pursues, at least, two goals. First, in case of supervisory authority’s inspection, the relationships with third parties will be one of the main subjects. A proper data transfer documenting shows that company is aware of data control importance and handles its obligations before the data subjects seriously. Second, it will ensure the company treat its data subjects correctly and is able to handle all the requests from them. Therefore, it is going to add an additional point to the company goodwill, mitigating risk that the supervisory authority will receive a complaint about its data sharing activities.

GDPR requirements might look like a new bureaucratic threshold for doing business in the European Union. Frankly speaking, they do create a threshold. To start a new project, a company has to implement the data protection by design principle, strict security requirements, accept a plenty of internal documents, and always keep an eye on the collected data safety.

However, we live in the information society, where all such safeguards are vital to create a robust data-driven market. Furthermore, it is necessary to give back a control over the personal data to the data subjects. If the majority of the businesses has an opportunity to gain from the data of its clients, it doesn’t mean they are allowed to abuse it. The personal data, as well as any business asset, carry risks along with benefits, although the society is yet to understand it.

Sooner or later, a strict regulation in this area is likely to occur in every country. The acceptance of the California Consumer Privacy Act 2018 and the Brazil Personal Data Protection Law are good examples in this regard. The ultimate purpose of such laws is to protect the privacy right of individuals and ensure free and lawful data flow through the market. And the best way to face the new order is to accept it as the new important rules of the game rather than the new obstacles to benefit from technologies.

Edited by Ken Briodagh

Related Articles

IoT Security: Still a Problem

By: Gary Audin    11/30/2021

Poor IoT device security stems results from manufacturers' goal to keep price points low. Security is considered an unnecessary overhead. The limited …

Read More

BrainChip Announces Partnership With MegaChips

By: Luke Bellos    11/26/2021

BrainChip Holdings and MegaChips announced a new business partnership, allowing MegaChips developers to utilize the Akida processing platform to devel…

Read More

Pandemic Puts Industry 4.0 in Perspective

By: Maurice Nagle    11/22/2021

Industry 4.0 is no longer a point on a compass, or a catchy buzzword, analysts inflate. It is taking flight on wireless technology. Richardson RFPD, A…

Read More

Twinning and Winning: Two Experts Duke Out the Definitions and Potential of Digital Twin Technology

By: Matthew Vulpis    11/19/2021

Last week, two top experts in the field virtually came face-to-face in the "Digital Twin SMACKDOWN" in the first episode of ZEDEDA's Transform Digest …

Read More

FAA Warning Triggers 5G Delays for AT&T and Verizon

By: Maurice Nagle    11/4/2021

Today, Verizon and AT&T announced delays in rolling out 5G services, based on warnings from the FAA of aircraft interference.

Read More