GDPR Article 28 Contracts: What You Need to Know

An overlooked GDPR requirement AND a business enabler

Andy Snow has trained thousands of people on the GDPR (General Data Protection Regulation). So, he’s a good person to ask about what areas people find challenging.

His response? “The data-sharing aspects of contracts.”

As a trainer, Andy regularly receives praise for his engaging delivery style, bringing the subject matter to life with real-world examples. In this conversation, he did the same.

Andy’s explanations show the importance of this overlooked area of GDPR compliance.

Contracts aren’t just a GDPR requirement. Doing your due diligence can save your organisation a lot of money, avoiding not just GDPR fines, but also operational disruption and liability for something that was your contractor’s fault.


About Andrew Snow

Andrew ‘Andy’ Snow is a GDPR DPO (data protection officer) with extensive public- and private-sector experience in regulatory compliance, privacy compliance framework development, and other areas relating to data protection. He’s also an enthusiastic data privacy and cyber security trainer.

We’ve previously interviewed Andy on the UK–US ‘data bridge’ (Data Privacy Framework), a landmark ECJ (European Court of Justice) ruling on the EU GDPR and Article 30 ROPAs (records of processing activities).


In this interview


What is an area of GDPR compliance organisations struggle with?

The data-sharing aspects of contracts. At IT Governance, we’ve trained thousands of people on the GDPR. How many came from a contracts background? Perhaps two or three.

But contracts are an important aspect of GDPR compliance. They must clearly identify, among other things:

  • Who the controller is;
  • Who the processor is; and
  • What the processor’s responsibilities are for data processing and security.

The role of the DPO or the accountable person [e.g. the data privacy manager] is that they must monitor compliance with the GDPR. So, they must look at those contracts, or how will they know whether the organisation is compliant?

Why is this such an overlooked area when it comes to data protection?

My first insight into that was many years ago, when I was running a DPIA [data protection impact assessment] project for a global construction company. I needed to see the contracts so that I could identify who was responsible for what, and some other basics.

But the client said I couldn’t see those contracts due to confidentiality, given the commercial aspect.

Well, I don’t want or need to see the commercial parts of the contract – I want to see the data-sharing parts, which should be freely available.

This company had to talk to the other parties to get copies of those contracts – it didn’t have them on hand. That experience taught me that contracts were going to be a major area – and this holds true today!

What exactly should organisations check for in their contracts, in terms of data sharing?

First, make sure the contracts meet the requirements of Article 28, as well as the GDPR’s requirements on the security of processing [Article 32].

You should also check the business/service continuity guarantees. If you’re relying on a third-party service provider to provide you with your data, and that third party suffers an outage – for whatever reason – how does that impact you, as the data controller?

Of course, this goes beyond GDPR compliance, into general business, but it’s all data-related. If you can’t access your data, you can’t provide your services, which costs you financially and reputationally. Thinking about the operational resilience of your supply chain is common sense, but few organisations pay attention to this.

So, check your processor has business continuity plans in place.

That’s in a controller–processor relationship. What about a joint controller one?

If, say, you’re using a payroll company, you’re handing over your staff’s information so that they get paid. And maybe that’s a five-year contract, so you’ll want that contract to state that all data must be returned to you at the end of those five years.

However, that payroll company has its own legal obligations. It must retain that information for six years after the contract ends, because it must be able to explain why it made those payments.

It’s about understanding what obligations the other party has, whether it’s a data controller or processor.

Here’s another example: the GDPR doesn’t say anything about clawback provision. But you’d obviously want clawback provision in your contracts!

How do clawback provisions relate to the GDPR?

Suppose that you’re a UK-based controller, and the processor is in the US. And suppose that the processor causes a breach of the data you’re ultimately responsible for, as the data controller.

Who is the [UK-based] data subject going to take to court to see judicial remedy?

They’re not going to go after the American company. They’ll take the controller here in the UK. In that sort of scenario, you want to make sure that you can recover the legal fees from that US-based processor. A clawback provision in your contract allows that to happen.

Basically, where personal data is involved, so is the GDPR. So, you must check your contracts – establish that you, as the controller, won’t find yourself liable for something the processor did.


Find this interview useful? Want to stay in the loop on
future conversations and blogs like this? Subscribe to our
free weekly newsletter: the Security Spotlight.


A lot of this seems to come back to due diligence – always review the contracts before you sign them. It also seems to reflect how the GDPR can be a business enabler, rather than a compliance headache, if approached correctly.

Correct. The GDPR brings good business sense – good business requirements – into the contract. With Article 28 of the GDPR – both the UK and EU versions of the Regulation – as your starting point.

But it also comes back to situations like the ECJ ruling we previously talked about. This gives us a legal precedent* that using a data processor isn’t a ‘get out of jail free’ card. Out of sight isn’t out of mind.

You can’t have a contract with someone but not check that the processor is actually adhering to the terms. It shows a lack of due diligence and accountability, even if you’ve checked that the contract itself is GDPR compliant.

Plus, it’s not just a matter of GDPR fines – not doing your due diligence may cost you in terms of operational disruption and/or if a data subject takes you to court.

*For the EU GDPR; unfortunately, we have none for the UK GDPR yet.

You mentioned checking for data security and business continuity provisions. What else must organisations check their contracts for, from a GDPR perspective?

It depends on which GDPR you mean. For the EU GDPR, use the SCCs [standard contractual clauses]. The European Commission modernised them in June 2021.

If you use the SCCs without amendment, they should comply with the requirements of Article 28. That means they’re a great starting point for making sure contracts are compliant with the EU GDPR.

For the UK GDPR, since the EU updated its SCCs, the ICO [Information Commissioner’s Office] also updated its mechanism. The IDTA [international data transfer agreement] came into force from March 2022, with a two-year transition period, which has now ended.

So, under the UK GDPR, you must now rely on the IDTA, not the SCCs. They share the same principles though: use them unchanged, and they should be UK GDPR compliant.

I can see that working for very close partnerships, especially with smaller service providers. But what if you’re using a large, global service provider like Microsoft or Amazon?

As you’re implying, you’ll have to sign someone else’s contract in those types of scenarios. But you can still check those contracts against the requirements of the GDPR, especially Article 28. These types of organisations know what their obligations are – they won’t be surprised about you wanting to do that.

However, make sure the contract is explicitly referring to the UK GDPR, not just the EU GDPR. Ditto for other national data protection laws.

That’s a big one organisations tend to overlook. Just let them know about that oversight – they won’t mind; you’re essentially doing them a favour, helping them meet their regulatory requirements!

Remember: you’re dealing with a contract here, not terms and conditions.


Interviewer note: real-life example

I find it very easy to believe that organisations will welcome such corrections. In 2022 – four years after the UK DPA (Data Protection Act) 2018 came into effect – I was checking over a contract to sign (as an individual, not to represent a business). This contract still referenced the DPA 1998.

When I pointed this out to the company, they thanked me, and corrected my contract as well as their template.

If I can receive this response as an individual, surely organisations can expect the same.


Do you have any final words of advice?

Don’t be scared of challenging or talking to the other party.

I’ve done this before. I’ve had to phone Microsoft and IBM, saying: “This contract you sent through doesn’t say whether the data is being shared with any third parties.” Or I’ve had to ask: “Your contract says you’ll share my data with ‘like-minded’ processors, but who are they? Can you please list them, so I know what I’m agreeing to?”

I see so many people – especially smaller organisations – go: “Oh my word, it’s Microsoft. They’re never going to listen to me.”

Yes, they will!

Because they want your business. They have teams waiting for you to email or phone them to have these conversations. But they’re not going to phone you to check that you’re happy with the contract. So, don’t be scared to go back and challenge it.


Looking for a solid GDPR foundation?

Our industry-leading Certified GDPR Foundation Training Course will help unlock your organisation’s potential.

Designed to equip you with essential knowledge and practical skills, and delivered by an experienced trainer and practitioner like Andy, this comprehensive course ensures compliance with the GDPR while maximising the benefits for both individuals and organisations.

The GDPR Foundation course covers the controller–processor relationship, GDPR contracts, international data
transfers, and many of the Regulation’s core requirements.


We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

In the meantime, why not check out our interview with managing consultant at GRCI Law, our sister company, Loredana Tassone on six years of the GDPR?

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.

Leave a comment

Your email address will not be published. Required fields are marked *