This objective marked our approach to the development of data processing clauses (RGPD) and we have tried to design a series of C2P clauses that can be used as a starting point by a large number of companies in a large number of market sectors, taking into account the need to meet all the requirements of Section 28 , paragraph 3, of the RGPD (on the one hand), with accessible accessibility. , fitness to work and length (on the other side). We therefore implicitly assumed that the organizations wanted formulations covering all eight requirements, but that they were proportional to the nature of the personal data to be processed and the duration of the overall agreement. We have also set ourselves the objective of « proving in the future » the C2P clauses that we are preparing, incorporating a term allowing the subcontractor to replace the conditions with applicable securities with clauses or certification systems with processors in accordance with Article 28, paragraph 6, paragraph 8). More than 140,000 lawyers worldwide already rely on practical law to get a quality lead in the practice of law, so you know you are in good company. Although a large number of existing contracts between processing managers and subcontractors will include – but perhaps not all – the conditions mentioned above, organizations need to review and perhaps rework all contracts that involve the processing of personal data, so that they contain the more detailed C2P clauses that the RGPD imposes. This equal treatment of all categories of personal data, in accordance with the C2P clauses, means that the language used to comply with Article 28, paragraph 3, can range from relatively short form clauses to significant and detailed terms, such as those of the International Regulatory Strategy Group. To be fully compliant, companies must include all eight of these PDPR requirements in all contracts dealing with the processing of personal data, regardless of the nature of the personal data processed and the potential risks and damages that may result from a violation of C2P clauses or non-compliance with the RGPD. There is no exception when, for example, the only data processed relates to company email addresses (low risk, public) of staff on both parties. Nor is there an obligation to impose additional or more restrictive conditions on the subcontractor where the contract includes a massive processing of personal data or the processing of certain categories of personal data.

The activities required to meet these obligations may require considerable delays and resources. It is therefore important to create and implement processes and procedures for reviewing, modifying and integrating RGPD-compliant C2P clauses into existing and new contracts that may involve the processing of personal data.