Back to Blog
Compliance

GDPR Compliance in Contracts: A Complete Guide

March 12, 202610 min readBy ContractScan Team

Why GDPR Matters for Your Contracts


The General Data Protection Regulation (GDPR) is not just a privacy policy requirement. It fundamentally changes what must be included in contracts involving personal data. If your business handles the personal data of EU/EEA residents — even if your business is located outside Europe — your contracts must include specific GDPR-compliant provisions.


Non-compliance carries severe penalties: fines of up to 20 million euros or 4 percent of global annual turnover, whichever is higher. But beyond fines, inadequate contractual provisions can expose your business to data breach liability, loss of customer trust, and contractual disputes with partners who require GDPR compliance as a condition of doing business.


This guide covers what your contracts need to include and how to verify compliance.


Understanding Data Roles Under GDPR


GDPR defines two primary data roles, and your contractual obligations depend on which role you occupy:


Data Controller


The data controller determines the purposes and means of processing personal data. If you decide why and how personal data is collected and used, you are a controller. Most businesses are controllers for their customer, employee, and prospect data.


Controller obligations in contracts:

  • Ensure that any processor you engage provides sufficient guarantees of GDPR compliance
  • Use only processors that provide adequate data protection measures
  • Specify the subject matter, duration, nature, and purpose of processing in the contract
  • Maintain records of processing activities

    • Data Processor


    The data processor processes personal data on behalf of the controller. If you handle personal data according to a client's instructions — such as a SaaS platform processing customer data, a payroll provider handling employee data, or a marketing agency managing mailing lists — you are a processor.


    Processor obligations in contracts:

  • Process data only on documented instructions from the controller
  • Ensure that persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the controller in responding to data subject requests
  • Delete or return all personal data at the end of the service
  • Make available all information necessary to demonstrate compliance

    • Joint Controllers


    When two or more entities jointly determine the purposes and means of processing, they are joint controllers. Joint controllership requires a specific agreement allocating responsibilities between the parties, particularly regarding data subject rights.


    Required Contract Provisions: Article 28


    Article 28 of the GDPR specifically requires that contracts between controllers and processors include the following elements:


    1. Subject Matter and Duration of Processing


    The contract must specify:

  • What personal data will be processed
  • The categories of data subjects whose data is being processed
  • The duration of the processing (typically tied to the contract term)
  • What happens to the data when the contract ends

    • Example clause: "Processor shall process personal data consisting of contact information (name, email, phone) and usage data of Controller's customers for the purpose of providing the SaaS platform services described in this Agreement, for the duration of this Agreement."


    2. Nature and Purpose of Processing


    The contract must clearly describe:

  • What processing activities will be performed (collection, storage, analysis, transmission, deletion)
  • The purpose of the processing (service delivery, analytics, communications)
  • Any limitations on the purposes for which data may be used

    • 3. Types of Personal Data


    Specify the categories of personal data:

  • Contact information (name, email, phone, address)
  • Financial data (payment information, billing records)
  • Usage data (login activity, feature usage, IP addresses)
  • Special categories of data (health data, biometric data, political opinions) — which require additional safeguards

    • 4. Obligations and Rights of the Controller


    The contract should specify:

  • The controller's right to issue instructions regarding data processing
  • The controller's obligation to ensure lawful basis for processing
  • The controller's right to audit the processor's compliance
  • Procedures for the controller to exercise data subject rights

    • 5. Security Measures


    Article 32 requires appropriate technical and organizational measures. The contract should specify or reference:

  • Encryption of personal data in transit and at rest
  • Access controls and authentication requirements
  • Regular security testing and assessment
  • Incident response and breach notification procedures
  • Staff training on data protection
  • Physical security measures for data centers

    • 6. Sub-Processor Requirements


    When a processor engages sub-processors:

  • The controller must provide prior authorization (general or specific)
  • The processor must impose the same data protection obligations on sub-processors
  • The processor remains liable for sub-processor compliance
  • The processor must inform the controller of any intended changes to sub-processors

    • 7. Data Subject Rights Assistance


    The processor must assist the controller in responding to requests from data subjects, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure — "right to be forgotten" (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

    • 8. Breach Notification


    The processor must:

  • Notify the controller without undue delay upon becoming aware of a personal data breach
  • Provide sufficient information for the controller to meet its own breach notification obligations (notification to supervisory authorities within 72 hours under Article 33)
  • Assist the controller in investigating and remediating the breach

    • 9. Data Return and Deletion


    At the end of the contract:

  • The processor must delete or return all personal data, at the controller's choice
  • The processor must delete existing copies unless EU or member state law requires retention
  • The processor should provide certification of deletion upon request

    • 10. Audit Rights


    The controller must have the right to:

  • Conduct audits or inspections of the processor's data protection practices
  • Request and review compliance documentation
  • Engage third-party auditors to assess compliance

    • International Data Transfers


    If personal data will be transferred outside the EU/EEA, the contract must address the legal mechanism for that transfer:


    Standard Contractual Clauses (SCCs): The European Commission has approved standard contractual clauses that provide adequate safeguards for international data transfers. The current SCCs (adopted June 2021) must be used for new contracts.


    Adequacy decisions: Transfers to countries with EU adequacy decisions (e.g., Canada for commercial organizations, Japan, UK) do not require additional safeguards.


    Binding Corporate Rules: For intra-group transfers within multinational organizations, approved binding corporate rules provide a compliance mechanism.


    Supplementary measures: Following the Schrems II decision, businesses must assess whether the legal framework in the recipient country provides adequate protection and implement supplementary measures if necessary.


    GDPR Compliance Checklist for Contract Review


    Use this checklist when reviewing any contract that involves personal data:


  • [ ] Data processing roles clearly defined (controller, processor, joint controller)
  • [ ] Subject matter and purpose of processing specified
  • [ ] Categories of personal data and data subjects identified
  • [ ] Duration of processing defined
  • [ ] Processor must follow controller's documented instructions
  • [ ] Confidentiality obligations for personnel
  • [ ] Appropriate security measures specified or referenced
  • [ ] Sub-processor requirements and approval process included
  • [ ] Data subject rights assistance obligations included
  • [ ] Breach notification procedures and timelines specified
  • [ ] Data return/deletion at contract end addressed
  • [ ] Audit rights for the controller included
  • [ ] International transfer mechanisms addressed (if applicable)
  • [ ] Liability and indemnification for data protection breaches
  • [ ] Standard Contractual Clauses annexed (if applicable)

    • How ContractScan Helps with GDPR Compliance


    ContractScan's compliance checking feature automatically scans contracts for GDPR-required provisions. The AI identifies:


  • Whether a Data Processing Agreement is needed based on the contract's data handling provisions
  • Missing GDPR-required clauses with specific recommendations
  • Inadequate breach notification timelines
  • Missing or incomplete sub-processor provisions
  • Absence of audit rights or data deletion obligations
  • International transfer issues

    • Upload any vendor agreement, SaaS contract, or service agreement to ContractScan, and the compliance report will highlight exactly which GDPR provisions are present, which are missing, and what language should be added.


    For businesses handling EU personal data, GDPR compliance in contracts is not optional. ContractScan makes it manageable.

    Ready to Review Your Next Contract?

    Upload any contract and get a complete AI analysis in under 60 seconds.

    Start Free

    Related Articles

    Guides

    What Is AI Contract Review? A Complete Guide for 2026

    Checklists

    How to Review a Contract: 10-Point Checklist for 2026

    Risk Management

    Contract Risk Assessment: Identifying Red Flags Before You Sign