Blog  |  January 27, 2022

Chances Are, Your Contracts Are Impacted By Data Privacy Requirements Too

In the first four posts of our data privacy series, we’ve discussed the current state of data privacy legislation in Europe and the U.S., how data privacy is driving changes to eDiscovery workflows (and even creating new workflows), how increased emphasis on data privacy is helping put information governance on the (data) map and how data privacy is raising the stakes for cybersecurity and data breaches. Our final post in the data privacy series discusses how contracts are impacted by data privacy requirements and the importance of having a sound contract analytics and management process to address potential contract changes quickly and effectively.

GDPR Compliance for Contracts

If you’re involved in a contract where personal data of European data subjects is involved, the contract needs to be compliant with Article 28, section 3 of GDPR (and if there’s a not a contract where European data subject personal data is being processed, you probably need one). The main paragraph of Article 28, section 3 states:

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.” {emphasis added}

Article 28, section 3 goes on to discuss eight stipulations for the processor including things like: processing personal data only on documented instructions from the controller, statutory obligation of confidentiality, putting in place appropriate security measures and (importantly) the use of third-party sub-processors, which requires the permission of the controller and a separate contract to govern the handling of that personal data as well.

Standard Contractual Clauses

As is the case with many other contractual requirements, the use of standard contractual clauses (SCCs) has become a common approach to address GDPR requirements. The Danish Data Protection Agency has adopted SCCs to help organizations comply with GDPR’s Article 28 requirements here.

Updating Contracts to Comply with Data Privacy Requirements

Of course, GDPR is only one data privacy regulation to consider for compliance purposes, but many organizations have had to update their contracts (or even create new contracts) to ensure compliance with GDPR. Given the ever-changing landscape for data privacy, it’s logical to expect that regular changes will be needed to comply with other data privacy laws as well.

One of the challenges that many organizations face is not being aware of which contracts need updating or even what they have agreed to in their contracts. It is important to have insight into the contracts of an enterprise for many purposes, including (i) obligations relating to data privacy protection, (ii) requirements for data breach notification, (iii) the appropriate benchmark interest rates to be used or even (iv) Force Majeure clauses to address the impact the COVID-19 pandemic had on the enforceability of contracts.

The ability to organize contracts into a single repository that enables an organization to leverage technology such as AI and analytics to quickly identify key clauses is vital.  This is particularly true in order to support periodic amendments dictated by the ever-changing data privacy landscape and other evolving legal standards. As Casey Kasem used to say, “the hits just keep on coming!” It’s important to be prepared to take those hits in stride, which requires robust contract analytics capabilities and a sound contract lifecycle management solution.


It’s fitting that the conclusion of this blog series is being posted during Data Privacy Week, which runs from January 24 through 28 in 2022! The National Cybersecurity Alliance (NCA) has expanded its previous Data Privacy Day campaigns into Data Privacy Week for 2022, with terrific guidance for individuals and organizations alike.

In addition to the guidance from the NCA, as we said when we introduced this blog series, data privacy considerations and concerns are affecting all our lives daily. And it’s driving how organizations address important legal-related functions including eDiscovery and litigation, information governance, cybersecurity and data breach handling and notification, and even contract management. When it comes to compliance with data privacy requirements, the more things change, the more they stay the same! It’s important for your organization to be nimble to address those changes as they happen.

For more regarding Cimplifi contract analytics capabilities, click here.