GDPR, have you ever heard of this acronym? Behind these 4 letters lies a legal juggernaut that impacts your daily life and contract law.
Reminder of the scope and objectives of the GDPR
Adopted in 2016 after 4 years of negotiations, this General Data Protection Regulation came into force on May 25, 2018, replacing the 1995 European directive which had become obsolete. In this digital age and scandals over the use of personal data (Cambridge Analytica, etc.), the GDPR had to fill legal and technological gaps.
Concretely, the GDPR changes the way your data is collected and used within the EU. No more Wild West, it imposes more transparency on public and private organizations. Informed consent becomes the norm before any collection of your sensitive data. Your rights are reinforced, such as the “right to be forgotten” or the portability of your information.
Beyond individuals, GDPR also impacts business relationships. Commercial contracts often involve the exchange of data on company employees or customers. The GDPR requires formalize these information transfers, to specify the purposes and retention periods.
The roles of each person must be clearly defined on the data processed. DPOs (data protection officers) must be appointed. In short, the GDPR requires thoroughly review your contractual approach. A real challenge but essential for your compliance!
Integration of GDPR into commercial contracts
The integration of the GDPR into your contracts with partners and suppliers requires above all drafting dedicated, precise and complete clauses. They must define the purposes of the processing, the types of personal data concerned (customers, employees, etc.), the retention periods, the destruction methods, etc.
Think of include transfers outside the EU if necessary. Also clearly define the roles of each party: data controller, subcontractor, etc. These clauses are essential for allocating GDPR obligations and will serve as a legal basis for data processing.
The GDPR, already a criterion in calls for tenders
Taking GDPR into account does not stop at the contract! Integrate this dimension from your calls for tenders with potential service providers. Ask them to present their GDPR clause models, their certifications, their compliance actions.
Promote proactive providers on this subject, with an identified DPO, GDPR charters for their employees, etc. Some even integrate the GDPR into their remuneration policies! A guarantee of maturity.
Regular audits of subcontractors
Once the contract is signed, conduct regular GDPR audits of your subcontractors to check compliance with the clauses. Ask for evidence of the technical and organizational measures put in place.
Be careful, failures are common! In recent audits, it is not uncommon to find that 30% of subcontractors did not keep their processing records up to date, and a high percentage could not prove the GDPR training of their teams.
A potentially risky situation.
Impacts of GDPR on the contract lifecycle
The GDPR impacts the entire life of the contract, from data collection. This must be limited to only the data necessary for the predefined purposes. Shelf life should be kept to a minimum.
For example, customer data for order management does not have to be kept beyond the end of the product warranty. Any excess is risky.
- Transfers outside the EU under strict conditions
Data transfers outside the EU are regulated. They require specific protection and security guarantees.
Choose standard contractual clauses validated by the CNIL. The Privacy Shield has no longer been recognized since 2020! Also pay attention to non-European cloud solutions.
- Obligation to erase data at end of contract
At the end of the contract, particular vigilance is required. The data must be returned or destroyed according to the agreed terms. Retain proof of the erasure.
Please note, the end of a contract does not exempt you from respecting the legal retention periods for certain documents. A point to validate with your DPO.
Towards value-creating GDPR compliance
- Trust and transparency with your partners
A robust GDPR approach strengthens the relationship of trust with your partners. It demonstrates your commitment to processing their data ethically and securely. A decisive asset for retaining your customers.
- A competitive advantage
When it comes to calls for tender, solid GDPR maturity will set you apart from many of your competitors who are still cautious on the subject. For a principal, this reduces the risk of contracting with you.
- Internal valorization
Internally, the GDPR allows you to enhance your legal and compliance teams. Show your ability to integrate this strategic dimension into your contracts and commercial offers.
Contractual sanctions in the event of breach
Breaches of GDPR obligations provided for in the contract may give rise to different types of sanctions.
You can include termination clauses which provide for automatic termination of the contract in the event of violation clauses essential to compliance with the GDPR (purposes, security, etc.).
However, favor dialogue to resolve any disagreement.
Prevent conflicts instead of enduring them
Before entering into any agreement, a quote is worth 1000 words:
“Before establishing a joint agreement with a third party, ensure their solvency. Will a natural or legal person be able to assume the obligations imposed in the contract? Will she be able to keep her commitments?”Contract law lawyer Aurore Bonavia (and GDPR)
As Ms. Bonavia points out, conflict prevention must take precedence even before signing the contract. An analysis of your potential partner will help assess the risks.
Check its financial and operational solidity: does it have the resources to respect its contractual commitments over time? Are its activity, reputation and internal processes compatible with GDPR requirements?
Such a due diligence process takes time but pays off : it reduces unpleasant surprises and future disputes. Anticipating problems also makes it possible to define appropriate preventive contractual clauses.
Knowing your co-contractor, their strengths and weaknesses, is the best insurance against conflicts. You will be able to build a relationship of trust over time.
And of course, create legally strong contracts, via a specialist having in mind all the issues and the legal scope to be contractualized. Words fly away, writings remain.