Terms and Conditions with Data Processors: GDPR imposes mandatory obligations to enter into contractual terms where a data controller uses the services of a third party data processor for example a provider of IT services. Identifying whether an organisation is acting as a data controller or a data processor can be difficult and is often misunderstood, but it is an important distinction to draw potentially affecting the responsibilities and liabilities of parties to a commercial arrangement.
Data processing terms must satisfy specific requirements in order to comply with the legislation. Myerson can provide appropriate documentation or review and advise on documentation issued by third parties. Organisations should be wary of agreeing to terms which erroneously identify the responsibilities of respective parties or which seek, inappropriately, to shift responsibility and liability.
Further details in relation to Data Processors.
Terms and Conditions with third parties: Beyond strict obligations for contractual regulation between controllers and processors, it is generally appropriate for organisations that choose to share personal data to ensure that measures are taken to ensure shared data is processed without undue risk.
Due diligence in relation to data protection standards adopted by business partners and other third parties is an appropriate measure towards compliance. Data sharing agreements will be best practice to ensure that parties understand respective responsibilities and liabilities. Myerson can advise on what approach and documentation is required in relation to the specific data sharing arrangements supporting your business activities.
Terms and Conditions with consumers must incorporate appropriate Privacy Information or refer to a compliant Privacy Notice.
Further details about Terms and Conditions in relation to cross border transfers.
Other important privacy documentation will include appropriate policies and procedures to ensure and demonstrate compliance. Further details.