What types of contractual provisions are required for different types of service providers under the GDPR?
The type of contractual provisions that a company is required by the GDPR to impose upon a service provider differ based upon two primary factors: (1) whether the service provider is a “processor,” a “controller,” or a “joint controller,” and (2) whether the service provider is located outside of the European Union and the parties intend to rely upon the Standard Contractual Clauses as an adequacy measure for effectuating the cross-border transfer of information.
The following provides a matrix that indicates the type of documents that are typically implemented depending upon these two factors. Items marked in italics may not be mandated by the GDPR, but are recommended to protect the contracting parties or have arisen to the level of industry standard and practice.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.