By Franck BEAUDOIN, avocat (solicitor admitted in France)
First publication on idroit.co on 26 May 2018
Published on droit.co on 3 June 2021
GDPR: template of clauses
Processing of personal data
1 – Compliance with the GDPR
Where personal data is processed in relation with this agreement, the parties shall comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – « GDPR ».
Each party represents and guarantees to the other party that it will strictly comply with the GDPR for any processing of personal data related to this agreement.
Notwithstanding anything to the contrary, the parties will not be liable under this agreement insofar as compliance with the GDPR prevents them from executing any obligation contemplated herein.
2 – Personal data of the service provider
If the client processes personal data of the service provider, or enables a third party to do so, he shall inform the service provider of the processing and comply with the GDPR, and where applicable instruct the third party to do so and procure his compliance.
3 – Personal data of the client
The service provider processes the personal data of the client as detailed in the privacy policy attached as appendix XXX [reference].
If the service provider carries out other processing of the personal data of the client, or enables a third party to do so, he shall inform the client of the processing and comply with the GDPR, and where applicable instruct the third party to do so and procure his compliance.
4 – Personal data of third parties
Confidentiality undertaking
Where the services lead to processing personal data of third parties, such personal data shall remain confidential. Therefore, in accordance with article 14, paragraph 5, (d), of the GDPR, the parties will not be obligated to provide the information listed in article 14 to the data subject.
Processor – processing on behalf of a controller
During the execution of this agreement, the service provider may be requested to process personal data on behalf of the client who determines the purposes and means of the processing. In this case, the client shall be the controller of the processing and the service provider shall be the processor, in the meaning of clause 28 of the GDPR. Before the service provider processes personal data on behalf of the client, the parties shall enter into a contract in the form set out in appendix XXX [reference] hereto.
Joint controllers
During the execution of this agreement, the service provider may be led to determine, jointly with the client, the purposes and means of a processing of personal data. In this case, the client and the service provider shall be joint controllers of the processing, in the meaning of clause 26 of the GDPR. Before the service provider processes personal data jointly with the client, the parties shall enter into an arrangement in the form set out in appendix XXX [reference] hereto.