GDPR and contract negotiations

Data protection iStock 000011177922XSmall 146X219Azhar Ghose highlights some of the issues that have arisen in contract negotiations of GDPR clauses.

Not another GDPR write up!

If you share these sentiments, you have my sympathies, given the relentless onslaught of GDPR headlines be that on legal or non-legal media platforms. This is especially the case as we approach the “D Day” for the UK implementation of GDPR on 25 May 2018. Perhaps, I can assist you in your filtering process; this article is aimed at contract practitioners for whom GDPR has been a working reality for several months now.

The Contract provisions requirements (Article 28)

GDPR (or Regulations) prescribes mandatory contractual provisions and requires you to give consideration to other appropriate clauses that should be included in contracts (whether existing or new arrangements) with all Data Processors from the implementation date. The minimum mandatory contractual requirements between the Data Controller and the Data Processor are set out in Article 28 of GDPR and are also covered in the ICO Guidance. The Article stipulates that the contract needs to include, as a minimum, details of the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and the rights of the controller. It sets out clauses that should be included such as dealing with the transfer of data outside of the EEA, assisting, implementing and providing sufficient information to demonstrate compliance with the GDPR measures, assisting and complying with Data Subjects rights, ensuring confidentiality in the processing and so forth.

The requirement for the GDPR compliant contractual provisions has, to some extent, been disseminated through practice and via some “painful” negotiations between contract practitioners. Before last Christmas, some practitioners seemed unaware of this requirement despite having undertaken GDPR training.

This may not be too surprising when you realise that many of the webinars, training and literature on GDPR, indeed, omitted reference to Article 28 and focussed their attention instead, on the big headline changes such as the Data Processor liabilities, appointment of the data protection officer, the new data subject rights, data privacy impact assessments, Personal Data breaches and the astronomical penalties. Rest assured, I won’t be tackling any of these highly publicised subject areas.

Dispelling some GDPR myths

Contract negotiations have also thrown up some misconceptions about GDPR which are worth highlighting in the interests of facilitating smoother contract negotiations.

The misconceptions may stem from how the Regulations have been presented in the early days of its training. The big assumption was that the audience had a detailed knowledge of the Data Protection Act 1998, just like, this article inversely assumes that the reader has knowledge of GDPR. GDPR training primarily focussed on the specific changes under the new Regulations without mention of the unchanged legal position. This over emphasis on the “new” requirements under GDPR meant that the holistic understanding of processing data particularly in respect of the responsibilities between the Data Controller and Data Processor may have become skewed.

I can demonstrate this point by taking the following statement from the ICO website which states;

“If you are a processor, the GDPR places specific legal obligations on you;” which is positioned before the next statement;

“However, if you are a controller, you are not relieved of your obligations where a processor is involved”

It would be easy to incorrectly infer from these statements that the responsibilities under the Regulations are greater for the Data Processor than the Data Controller. This manner of presenting GDPR have been widespread and the same understanding is projected by some lawyers acting for Data Processors.

Of course, under the Regulations it is the Data Controller that has the responsibility for implementing, demonstrating, reviewing and updating the appropriate technical and organisational measures for processing and safeguarding Personal Data and not the Data Processor. The Data Processor has the responsibility to assist the Data Controller in fulfilling its obligations albeit that they may undertake to fulfil such obligations on behalf of the Data Controller.

Whilst the Data Processor is liable for the obligations under GDPR, its practical enforcement remains unclear and uncertain, apart from a clear statement that the Data Processor may be found to be acting as the Data Controller by determining the purpose and the means of processing.

Practically, the Data Processor will be further down the chain from the Data Controller and they may even be located outside of the European Union thus making recourse to legal remedies and sanctions much more difficult to apply in their case than the Data Controller.

Where the Data Processor negotiates for the adoption of their own favourable terms and conditions upon the Data Controller, they increase the risk that the Data Processor is acting as the Data Controller of the Personal Data.

Rights to Audit and Inspection

Other rights that need to be reserved in the contract between the Data Controller and Data Processor include; the right to audit and inspections of the processing activities.

Did I mention that the Data Controller has the ultimate responsibility of implementing the organisational and technical measures for the purposes of the Regulations?

Surprisingly, the Data Processor sometimes fails to recognise that audits, inspections and investigations are a part of the Data Controllers tool box for establishing, reviewing and improving the appropriate organisational and technical measures. The ability to fully investigate the processing activities, especially where there has been a Personal Data breach, may not be an explicit requirement but it will be essential and appropriate to improve the design of the processes to ensure that Personal Data is adequately processed and safeguarded in the future.

The Regulations do not mandate the exercise of many of the prescribed rights for the Data Controller leaving their application at the Controller's discretion. Data Processor lawyers have seized upon this, to negate or severely restrict the exercise of audits, inspections and investigations.

If there was a security and Personal Data breach, and the Data Controller does not have these tools sufficiently at its disposal to identify the inherent and future risks and to effect remedial changes, then this effectively takes away significant mitigation that the Data Controller could present to the ICO and potentially lead to a more severe financial penalty.


Other areas of contention include obtaining the prior consent of the Data Controller when engaging sub-processors or insisting on the Data Controller giving the Data Processor blanket general consent for engaging sub-processors. The sub-processor is required to provide “the same” obligations and “sufficient guarantees” as between the Data Controller and Data Processor in the supply chain. The general consent that is permitted under GDPR is not a carte blanche to engage whomsoever that the Data Processor chooses, as the right is qualified with a right for the Data Controller to receive prior notice and to object to any such engagement. Implied within the right to object by the Data Controller includes the opportunity for the Data Controller to fulfil its GDPR responsibilities which may include risk assessments, audits and inspections to be able to approve the engagement of a new and reliable processor in the chain.

European Union

Similarly, for transferring or processing data outside of the Economic European Area(EEA), Data Processors have at times argued that they are entitled to stipulate a non-specific blanket consent for such transfer subject to entering into the EU Model Clauses. I would suggest, that this is not in keeping with the spirit of the Regulations which are to ensure that the Data Controller has transparency, is accountable, can maintain a record of any transfers outside of the EEA and retains overall responsibility for processing and safeguarding the Personal Data and ensures compliance with the new Data Subjects rights. A blanket consent also means that the Data Controller would have no right to object in the event of a transfer of Personal Data or have the opportunity to assess and test whether the territory outside of the EEA has adequate safeguards for the Personal Data.

On the subject of EU Model Clauses, it has been argued that these clauses can be amended to include the party’s commercial terms. Whilst this is true, this would not extend to limiting the Data Subject rights or their ability to take an action against the Data Processor or the sub-processor along the same limited liabilities that may have been agreed in the contract between the Controller and the Processor. A suitable alternative to the EU Model Clauses where the Processor is only contemplating transfers of the data amongst its worldwide Group of companies, is to consider the adoption of Binding Corporate Rules that would confirm that adequate safeguards were in place amongst all the relevant group companies that may process the Personal Data supplied by the Data Controller wherever those companies may be located.


The extent of the insolvency inducing financial penalties under GDPR must be one of the factors as to why contract negotiations have been so intense and difficult to resolve.

Article 28(1) expressly places an obligation on the Data Controller to select a Data Processor that will provide “sufficient guarantees” to implement appropriate GDPR measures on their behalf.

Selecting the most appropriate Processor that is willing to work to the reasonable terms of the Controller to promote its responsibilities under the Regulations will be fundamental in avoiding difficult negotiations.

I will leave you with this final thought; where the Controller has a limited choice of a Processor say because the product is exclusive to that supplier, then, if the contract terms are so weak to safeguard the Personal Data, should liability be apportioned to the Processor because of the unequal bargaining power in its favour in negotiating the contract?

“Creativity is intelligence having fun!” - reputed to have been said by Albert Einstein.

Azhar Ghose is an in house commercial lawyer and freelance writer. He can be contacted This email address is being protected from spambots. You need JavaScript enabled to view it..


(c) HB Editorial Services Ltd 2009-2018