Skip to content
8 min read

GDPR Compliance: Key Terms for Your Contracts

The European Union's General Data Protection Regulation (GDPR) took effect in 2018. As a result of the explicit and wide-ranging constraints GDPR places on businesses, many companies (and their contracts) struggle with GDPR compliance. In this three-part blog series, we’ll lay out key aspects of GDPR that should inform your contract-drafting process, so you can stay ahead of this evolving regulatory framework. 

Let’s start with the basics: What is GDPR?

What is GDPR?

The European Union's General Data Protection Regulation is designed to protect the privacy of those using the Internet and similar online systems. It applies both to organizations operating within the European Union (EU), and any organizations offering goods or services to customers or businesses in the EU.

To deliver a concept as indefinite as "privacy" to all citizens of (and customers in) the EU, GDPR explicitly defines some key terms with which you and your contracts must be familiar. Here’s how those major terms are defined. 

Personal Information

Personal information is "any information relating to an identified or identifiable natural person." GDPR safeguards privacy by giving Internet users control over who can access, share, or sell their personal information. This has been broadly interpreted to include name, address, photos, and even IP address. 

Sensitive Data

Sensitive data is defined as a subset of personal information relating to race, religion, sexual life, data pertaining to health, genetics, and biometrics. Sensitive data is given an additional layer of protection under GDPR.

Data Collection and Data Processing

Data collection is any software process that collects or generates information about an Internet user. Data processing is subjecting that data to processing by persons or software, such that you alter the value or usefulness of that data. Strictly speaking, anything from alphabetizing a list to calculating a person's credit score would be considered data processing. GDPR requires data to be processed “lawfully, fairly and in a transparent manner” for “specified, explicit and legitimate purposes” and “limited to what is necessary in relation to the purpose.” Companies may re-purpose personal data with appropriate safeguards, like encryption or pseudonymization.

Contract Management Solutions

Data Controllers and Data Processors 

Personal data may be processed either by a "controller" or a "processor." A data controller is responsible for determining the procedures for, and the legal basis of, processing personal data. The data processor completes the processing on behalf of the controller. A data processor may include third-party vendors or outsourcing (sub-processor). 

As an example, your company (the controller) may have a newsletter subscription form on its website that collects email addresses. You may use those emails to send out newsletters from your own email software (processor), or from a third-party email service like G Suite or Mailchimp (sub-processor). For purposes of compliance, a data controller is responsible for the conduct of a data processor as well. 

International Transfer

Sending personal data outside the EU is considered an international transfer, and there are rules around how this must be handled. The data collected by an EU company or from an EU citizen may be transferred to non-EU countries only if the European Commission has determined that the receiving country provides for an adequate level of data protection. Recently, in the Schrems II Decision, the European Court invalidated the EU-U.S. Privacy Shield Framework’s adequacy. Put simply, the United States legal code does not currently offer privacy protections adequate to comply with GDPR, so U.S. service providers must go above and beyond U.S. legal requirements, and must commit to as much in their contracts.


GDPR states that controllers and processors should implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. This is especially relevant when it comes to data breaches.

Data Breach

A data breach is any incident or action that results in the exposure of personal information without the consent of the persons to whom that information refers. If any unauthorized person gains access to the personal data stored on your systems -- either due to a hack or simple inadvertent transmission -- that is a data breach.

Breach Notification

Data controllers have an obligation to notify others of any data breach that exposes personal information for which they are responsible. The controller must notify a breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. If a processor experiences a breach, it must notify the controller without undue delay. The notification to the supervisory authority must include the possible categories and approximate numbers of individuals and records concerned, the name of the organization’s data protection officer or another contact, the likely consequences of the breach, and the measures taken to mitigate harm.

Tomorrow on the blog, we’ll outline specific contract clauses that need GDPR updates. Or, you can download this eBook to learn the full list right now.

Enjoy content like this? Make sure to subscribe to our blog to get all the latest and greatest content for legal leadership. 

Alyssa Verzino is a Content Marketing Manager at LinkSquares.