FREQUENTLY ASKED QUESTIONS/Must a contract be binding between the subcontractor and the controller and must include ? /

Service hub

Must a contract be binding between the subcontractor and the controller and what should it include?

GDPR reaffirms or even reinforces the obligation of precision relating to the drafting of the contractual clauses binding the subcontractor and his controller, in particular concerning the treatment modalities and the management of their relations and the exchange of information between them.

As a first step, Article 28 of the GDPR maintains the obligation to take out a contract linking the subcontractor to the controller.

Moreover, this article lays down stricter and more important requirements, namely the obligation for this legal document to include:

  • the object of the service
  • the duration
  • the nature
  • the type of personal data collected
  • the categories of data subjects
  • the rights and obligations of the data controller
  • the security measures implemented regarding the processing of personal data to be carried out.

According to this same article, it is specified that the controller is obliged to use only subcontractors who provide sufficient guarantees for the implementation of appropriate technical and organizational measures to to ensure that the treatment meets the requirements of the GDPR and guarantees the protection of the rights of the data subject .