The European Data Protection Board has issued issued final guidelines on the “necessary for the performance of a contract” legal basis for processing data under the General Data Protection Regulation (GDPR).

To use this legal basis, you need to show:

  • The processing is carried out in the context of a valid contract with the individual.

Who is responsible for putting a GDPR Article 28 Data Processing Agreement in place?

Dutch Data Protection Authority, Autoreitpersoonsgegevens, says: BOTH the data controller and the data processor.

  •  As a controller, you are in violation if you cooperate with a processor but have not made any written agreements on this. In that case, you cannot

The Spanish AEPD has published a “white list” of data processing operations that DO NOT require a Data Protection Impact Assessment (DPIA) under GDPR:

  • Processing carried out under guidelines previously established or authorized by the DPA
  • Processing carried out under the guidelines of an approved code of conduct
  • Processing necessary to comply with a legal