Go back to menu

An example addendum addressing Article 28 GDPR

Prepared by the Article 28 GDPR working group

07 August 2017

The EU General Data Protection Regulation (GDPR) was passed in 2016 and will become law on 25 May 2018. It represents the biggest change in EU data privacy law in a generation and is likely to form a model for new data privacy rules in other jurisdictions. One of the key aspects of the law which could affect many organisations, is that the regulation imposes stringent new requirements for the appointment of processors by controllers including prescribing various matters which must be stipulated in a contract or other legal act (Article 28). In short, as the controller says how and why personal data is processed and the processor acts on the controller’s behalf, the GDPR places obligations on controllers to ensure their contracts with processors comply with the GDPR.

Although GDPR anticipates that the European Commission and supervisory authorities may lay down or adopt standard contractual clauses to meet these requirements, there is currently no such example template.  In the meantime, organisations face a very sizeable task of "re-papering" supply chain arrangements where processors are appointed to process on behalf of controllers prior to the application of GDPR on 25 May 2018.

International Regulatory Strategy Group (IRSG), meeting as the Article 28 GDPR working group co-chaired by Richard Jones of Clifford Chance and Ross McKean of DLA Piper, therefore thought it would be helpful to develop a suggested set of processor terms to help inform organisations of the new requirements and how they might be addressed in a contract.  Although the membership of the working group were largely from the financial services sector, it is hoped that the drafting proposed may also be of assistance to controllers and processors across other sectors.

Vivienne Artz, Managing Director and Global Head of Privacy Legal and Head of International for the Intellectual Property and Technology Law Group, Citi, (and Chair of the IRSG Data workstream) said: 

“As the deadline for the implementation of the GDPR approaches, firms still have much work to do to prepare for its new requirements. This addendum relating to Article 28 (Processor Terms) provides a valuable contribution to this work, in the absence of official guidance in this area.   We are extremely grateful to DLA Piper and Clifford Chance for their work  in producing this example template and we hope that it will assist firms in the financial services sector and beyond as they prepare for the GDPR May 2018 deadline.”

To download a copy of the template, please click here.