Contract clause library

GDPR clause: Copy, customize, and use instantly

Introduction

A GDPR clause outlines the obligations and rights of the parties regarding personal data processing in compliance with the European Union's General Data Protection Regulation (GDPR). It specifies the responsibilities of data controllers and processors, the protection of data subjects’ rights, and ensures compliance with the GDPR's requirements for data privacy and security.

Below are templates for GDPR clauses tailored to different scenarios. Copy, customize, and insert them into your agreement.

This version outlines the general GDPR compliance obligations.

Both Parties acknowledge their obligations under the General Data Protection Regulation (GDPR) in relation to the processing of personal data. The Parties agree to comply with all applicable provisions of the GDPR, including the obligations to process personal data lawfully, transparently, and securely. Each Party shall ensure that personal data is collected, processed, and stored only for specified purposes and in accordance with data subject rights under the GDPR.

This clause specifies the roles of data controller and processor.

For the purposes of the General Data Protection Regulation (GDPR), the Parties agree that [Party A] is the Data Controller and [Party B] is the Data Processor. The Data Controller retains control over the purposes and means of processing the personal data, while the Data Processor shall process the personal data only on the documented instructions of the Data Controller. The Parties shall ensure compliance with GDPR requirements, including the establishment of appropriate technical and organizational measures to protect the data.

This version includes consent requirements for processing personal data.

The Parties agree that personal data will only be processed in accordance with the General Data Protection Regulation (GDPR) and shall not process any personal data unless the data subject has provided explicit consent, where required by the GDPR. The Parties shall ensure that all personal data collected, processed, or used for marketing purposes is based on valid consent obtained from the data subjects, and such consent can be revoked at any time.

This clause outlines the data protection rights of data subjects.

The Parties agree to uphold the data protection rights of individuals under the General Data Protection Regulation (GDPR). Data subjects shall have the right to access, rectify, erase, restrict processing, and object to processing of their personal data. Additionally, data subjects shall have the right to data portability. The Parties shall ensure that all requests from data subjects to exercise these rights are promptly and adequately addressed, in compliance with the GDPR.

This version includes data security requirements for processing personal data.

The Parties agree to implement appropriate technical and organizational measures to ensure the security of personal data under the General Data Protection Regulation (GDPR). These measures include, but are not limited to, encryption, access control, and data anonymization where appropriate. Both Parties shall conduct regular risk assessments to ensure that the processing of personal data is secure and complies with the GDPR’s requirements for data protection.

This clause includes breach notification requirements.

The Parties agree to notify each other within [X] hours of becoming aware of any data breach involving personal data processed under the General Data Protection Regulation (GDPR). The notification shall include the nature of the breach, the categories of data involved, and the corrective actions taken to mitigate the breach. Both Parties shall cooperate to notify affected data subjects and relevant authorities in accordance with GDPR breach notification requirements.

This clause covers data retention and deletion policies.

The Parties agree that personal data shall only be retained for as long as necessary to fulfill the purposes outlined in this Agreement and comply with the General Data Protection Regulation (GDPR). Upon the termination of this Agreement or the completion of the purpose for which the personal data was collected, the data shall be securely deleted or anonymized, in compliance with GDPR’s data retention and deletion guidelines.

This version addresses international data transfers.

The Parties acknowledge that personal data processed under this Agreement may be transferred outside the European Economic Area (EEA). The Parties agree that such transfers will only occur if they comply with the General Data Protection Regulation (GDPR) requirements, including the use of appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), to ensure that the personal data remains protected in accordance with the GDPR.

This clause specifies requirements for sub-processors.

The Data Processor agrees not to engage any sub-processors for the processing of personal data without the prior written consent of the Data Controller. If sub-processors are used, the Data Processor will ensure that the sub-processor is bound by data protection terms equivalent to those set out in this Agreement and in compliance with the General Data Protection Regulation (GDPR). The Data Processor shall remain fully liable for the actions of any sub-processors.

This version includes audit rights for data protection compliance.

The Parties agree that the Data Controller shall have the right to audit the Data Processor’s compliance with the General Data Protection Regulation (GDPR) and the terms of this Agreement. The audit may include, but is not limited to, reviewing the Data Processor’s data processing practices, data security measures, and breach response protocols. The Data Processor agrees to provide all reasonable assistance to facilitate such audits and ensure compliance with the GDPR.

This clause addresses the need for a data protection impact assessment (DPIA).

The Parties agree to conduct a Data Protection Impact Assessment (DPIA) if the processing of personal data under this Agreement is likely to result in a high risk to the rights and freedoms of individuals, in accordance with the General Data Protection Regulation (GDPR). The DPIA will assess the impact of the processing on data subject privacy, and both Parties will cooperate to implement measures to mitigate any identified risks.

This clause incorporates data minimization principles.

The Parties agree to adhere to the principle of data minimization under the General Data Protection Regulation (GDPR). Personal data shall only be collected, processed, and stored to the extent necessary for the purposes outlined in this Agreement. The Parties shall ensure that the amount of personal data processed is limited to what is required to fulfill the obligations of the Agreement.

This version addresses data subject access requests.

The Parties agree that the Data Processor will promptly assist the Data Controller in responding to any data subject access requests (DSARs) in accordance with the General Data Protection Regulation (GDPR). If a data subject requests access to their personal data, the Data Controller shall coordinate with the Data Processor to ensure the request is fulfilled in a timely manner, within the required [X] days from the request.

This clause ensures third-party processors are compliant with GDPR.

The Data Processor agrees that any third-party processors it engages in the processing of personal data will be subject to the same data protection obligations as those set out in this Agreement and in accordance with the General Data Protection Regulation (GDPR). The Data Processor shall obtain assurances from all third-party processors that they comply with the requirements of the GDPR and will provide such assurances to the Data Controller upon request.

This version includes confidentiality provisions.

The Parties agree to maintain the confidentiality of personal data processed under this Agreement in accordance with the General Data Protection Regulation (GDPR). Both Parties shall implement appropriate measures to prevent unauthorized access, disclosure, or processing of personal data. Any personnel or third parties involved in processing personal data shall be subject to confidentiality obligations that ensure the protection of personal data.

This clause provides for modification of processing terms.

The Parties agree that the terms of personal data processing under this Agreement may be modified to ensure compliance with the General Data Protection Regulation (GDPR). If there are any changes to applicable laws, regulations, or processing requirements, both Parties will update the terms of this Agreement to reflect such changes and ensure continued GDPR compliance.

This clause assigns direct responsibility for data protection.

The Parties agree that the Data Controller retains ultimate responsibility for ensuring compliance with the General Data Protection Regulation (GDPR) and that the Data Processor will act only on the Data Controller’s instructions regarding the processing of personal data. The Data Controller is responsible for ensuring that any processing of personal data is lawful, fair, and transparent.

This clause specifies the reporting timeline for data breaches.

The Parties agree to report any data breach involving personal data within [X] hours of becoming aware of the breach, in compliance with the General Data Protection Regulation (GDPR). The report will include details of the breach, the types of personal data affected, the potential consequences, and the measures taken to mitigate any risks to data subjects.

This clause formalizes the data processing agreement.

The Parties agree that this Agreement serves as the formal Data Processing Agreement (DPA) in accordance with the General Data Protection Regulation (GDPR). Both Parties acknowledge that they are bound by the terms outlined in this DPA, which sets forth the data protection obligations and responsibilities related to the processing of personal data.

This clause limits automated decision-making.

The Parties agree that no personal data will be processed for automated decision-making, including profiling, unless expressly authorized under the General Data Protection Regulation (GDPR). If automated decisions are necessary, the data subjects will be informed and provided with the opportunity to contest decisions made solely based on automated processing.

This version includes pseudonymization requirements.

The Parties agree to pseudonymize personal data where possible to ensure the protection of data subjects' identities under the General Data Protection Regulation (GDPR). Pseudonymized data will be used for analysis, processing, and research, ensuring that individuals cannot be re-identified without additional information stored separately and securely.

This clause includes third-party audits for GDPR compliance.

The Parties agree that an independent third-party audit will be conducted annually to assess the compliance of the data processing activities with the General Data Protection Regulation (GDPR). The audit findings will be shared with both Parties, and corrective actions will be implemented promptly to address any non-compliance issues identified.

This version restricts profiling.

The Parties agree that no personal data will be processed for profiling purposes unless explicitly authorized under the General Data Protection Regulation (GDPR). If profiling is required, data subjects will be informed in advance, and profiling activities will comply with GDPR principles, including the right of the data subject to object to profiling.

This clause includes a provision for periodic data protection training.

The Parties agree to provide regular data protection training to all employees involved in processing personal data. The training will focus on ensuring compliance with the General Data Protection Regulation (GDPR) and educating staff on their obligations related to data subject rights, data security, and the proper handling of personal data.

This clause outlines encryption requirements.

The Parties agree that personal data processed under this Agreement will be encrypted both during transmission and while stored. The encryption standards will comply with the highest industry standards and the General Data Protection Regulation (GDPR). Both Parties will regularly review and update their encryption methods to ensure data protection.

This version outlines the right to erasure.

The Parties agree that, upon the request of a data subject, personal data will be erased from all records under the General Data Protection Regulation (GDPR) within [X] days. Data subjects will be informed of their right to erasure, and both Parties will take appropriate steps to ensure compliance with this right in accordance with the GDPR.

This clause includes explicit processing purposes.

The Parties agree that personal data will only be processed for the specific purposes outlined in this Agreement. These purposes will be clearly defined in accordance with the General Data Protection Regulation (GDPR), and any change in the purpose of processing will require the explicit consent of the data subject or a legal basis under the GDPR.

This version focuses on consent management.

The Parties agree that explicit consent from data subjects will be obtained before processing their personal data, where required by the General Data Protection Regulation (GDPR). Both Parties will implement a robust consent management system to track and record consent, ensuring that consent is freely given, informed, and can be withdrawn at any time.

This clause addresses data portability rights.

The Parties agree that data subjects will have the right to request the transfer of their personal data in a structured, commonly used, and machine-readable format, as outlined in the General Data Protection Regulation (GDPR). Both Parties will facilitate the transfer of data to the data subject or another controller, as applicable, in accordance with GDPR's data portability provisions.

This version includes a notification of processing changes provision.

The Parties agree to notify each other within [X] days of any material changes to the way personal data is processed under this Agreement. Any changes to the processing methods or the purpose of processing will require prior consultation and approval to ensure compliance with the General Data Protection Regulation (GDPR).

This clause addresses data protection impact assessments (DPIAs).

The Parties agree to assist each other in conducting Data Protection Impact Assessments (DPIAs) when required under the General Data Protection Regulation (GDPR). The Parties will cooperate in identifying and assessing any potential risks to data subjects' privacy and implementing measures to mitigate those risks before proceeding with the processing activities.

This clause outlines corrective actions for non-compliance.

The Parties agree to take immediate corrective actions if any non-compliance with the General Data Protection Regulation (GDPR) is identified in the processing of personal data. These actions may include modifying processing practices, implementing additional security measures, or notifying data subjects or supervisory authorities as required by the GDPR.

This version addresses joint processing restrictions.

The Parties agree that any joint processing of personal data under this Agreement will be subject to a separate written agreement outlining the specific responsibilities and obligations of each Party. Both Parties shall ensure that joint processing complies with the General Data Protection Regulation (GDPR), and each Party will be accountable for its respective actions in relation to the personal data.

This clause sets requirements for access control.

The Parties agree to implement strict access control measures to ensure that only authorized personnel have access to personal data processed under this Agreement. These measures will comply with the General Data Protection Regulation (GDPR) and include role-based access controls, user authentication, and regular audits of access logs.

This version requires explicit reporting of processing activities.

The Parties agree to maintain records of all processing activities related to personal data under this Agreement and provide these records to each other or supervisory authorities upon request, as required by the General Data Protection Regulation (GDPR). The records will include details of the data subjects, processing purposes, categories of data, and the legal basis for processing.

This clause ensures data protection by design.

The Parties agree to implement data protection measures by design and by default, as required by the General Data Protection Regulation (GDPR). This includes ensuring that only the minimum necessary personal data is processed and that data protection principles are integrated into the design of processes, systems, and technologies.

This version ensures third-party compliance with GDPR.

The Parties agree to ensure that any third-party vendors, contractors, or subprocessors involved in the processing of personal data comply with the General Data Protection Regulation (GDPR). Both Parties shall require all third parties to enter into written agreements that impose data protection obligations consistent with the terms of this Agreement and the requirements of the GDPR.

This clause includes the right to restrict processing.

The Parties agree that data subjects have the right to request the restriction of their personal data processing under certain circumstances, as outlined in the General Data Protection Regulation (GDPR). The Parties will promptly comply with such requests and ensure that no further processing of personal data occurs until the restriction is lifted, except where required by law.

This version covers data subject objections.

The Parties agree to respect the right of data subjects to object to the processing of their personal data as outlined under the General Data Protection Regulation (GDPR). If a data subject objects to the processing, the Parties will promptly cease the processing unless there is a legitimate basis for continuing the processing, which overrides the data subject's rights.

This clause ensures regular data protection assessments.

The Parties agree to conduct regular assessments of their data protection practices, including evaluating the adequacy of the security measures in place to protect personal data. These assessments will ensure compliance with the General Data Protection Regulation (GDPR) and will be reviewed at least annually to address any emerging risks or issues.

This clause addresses third-party requests for personal data.

The Parties agree that any third-party request for personal data must be promptly reported to the other Party. If such a request is legitimate and required by law, the Parties will cooperate to ensure that the data is provided in compliance with the General Data Protection Regulation (GDPR). If the request is not legally justified, the Parties will take steps to protect the data subject's rights.

This version ensures privacy by default.

The Parties agree to implement privacy measures by default in all data processing activities. Only the personal data necessary for the intended purpose will be processed, in compliance with the General Data Protection Regulation (GDPR). Access to personal data will be restricted to those with a need to know, ensuring that privacy is upheld throughout the processing activities.

This clause requires monitoring for GDPR compliance.

The Parties agree to regularly monitor their compliance with the General Data Protection Regulation (GDPR) throughout the duration of this Agreement. This includes conducting internal audits, ensuring that all data processing activities align with GDPR principles, and implementing corrective measures when necessary to maintain compliance.

This version provides for rectification of inaccurate data.

The Parties agree that if any personal data processed under this Agreement is found to be inaccurate or incomplete, the data shall be rectified or completed without delay in accordance with the General Data Protection Regulation (GDPR). Both Parties will work together to ensure that inaccurate personal data is corrected to maintain the integrity of the data.

This clause addresses risk mitigation in data processing.

The Parties agree to implement risk mitigation strategies to address any potential risks associated with the processing of personal data. These strategies will comply with the General Data Protection Regulation (GDPR) and include the use of encryption, anonymization, and other security measures to protect the personal data from unauthorized access, loss, or damage.

This clause includes the data subject's right to restrict processing.

The Parties agree to honor the right of data subjects to restrict the processing of their personal data under the General Data Protection Regulation (GDPR). If a data subject requests to restrict processing, the Parties will comply unless there is a lawful basis for continuing the processing, such as for legal claims or legitimate interests.

This version imposes restrictions on data sharing.

The Parties agree that personal data processed under this Agreement shall not be shared with any third parties without the prior consent of the data subject, unless required by law or as necessary for the performance of this Agreement. Any sharing of personal data with third parties will be done in compliance with the General Data Protection Regulation (GDPR) and subject to appropriate safeguards.

This clause addresses international data transfers.

The Parties agree that any transfer of personal data outside the European Economic Area (EEA) will only occur if the receiving country provides adequate data protection standards as per the General Data Protection Regulation (GDPR). If necessary, the Parties will implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to protect personal data during international transfers.

This version includes joint data controller responsibilities.

The Parties acknowledge that they are joint data controllers for certain personal data processing activities under this Agreement. Both Parties agree to jointly determine the purposes and means of processing personal data, and each Party shall be responsible for ensuring compliance with the General Data Protection Regulation (GDPR) with respect to the personal data they process.

This clause outlines the third-party processor responsibility.

The Parties agree that if third-party processors are engaged to process personal data under this Agreement, they will be bound by written agreements that impose data protection obligations in line with the General Data Protection Regulation (GDPR). The Data Processor shall remain liable for the actions of its sub-processors and shall ensure that any third-party processor meets the GDPR’s requirements.

This version sets a data retention limit.

The Parties agree to retain personal data only for as long as necessary to fulfill the purposes outlined in this Agreement and in compliance with the General Data Protection Regulation (GDPR). Upon the completion of the data processing activities or upon request from the data subject, the personal data shall be securely deleted or anonymized as per the GDPR’s data retention principles.

This clause specifies specific data security obligations.

The Parties agree to implement and maintain adequate security measures to protect personal data processed under this Agreement in accordance with the General Data Protection Regulation (GDPR). These measures include, but are not limited to, encryption, firewalls, access controls, and regular security audits to ensure that personal data remains secure from unauthorized access or disclosure.

This version includes the right of rectification and erasure.

The Parties agree to comply with the rights of data subjects under the General Data Protection Regulation (GDPR), including the right to request rectification or erasure of their personal data. Both Parties will take prompt action to address any requests for rectification or erasure and will ensure that the personal data is corrected or deleted in compliance with the GDPR requirements.

This clause addresses the obligation to notify authorities of data breaches.

The Parties agree to notify the relevant supervisory authority of any personal data breach that may affect the rights and freedoms of data subjects under the General Data Protection Regulation (GDPR). The notification will be made within [X] hours of discovering the breach, and the Parties will provide all necessary details as required by the GDPR.

This version ensures transparency in data processing practices.

The Parties agree to be transparent with data subjects regarding the processing of their personal data under the General Data Protection Regulation (GDPR). Both Parties will provide clear and accessible information to data subjects about the purposes of data processing, the legal basis for processing, and their rights under the GDPR, including how they can exercise those rights.

This clause ensures subcontractor compliance with GDPR.

The Parties agree that any subcontractors involved in processing personal data must comply with the General Data Protection Regulation (GDPR). The Data Processor will ensure that subcontractors are bound by data protection obligations equivalent to those set forth in this Agreement and will remain responsible for ensuring compliance with GDPR requirements by their subcontractors.

This clause outlines the right of data subjects to object to processing.

The Parties agree that data subjects have the right to object to the processing of their personal data under the General Data Protection Regulation (GDPR). If a data subject exercises their right to object, the Parties will cease processing the data unless there is a legitimate reason to continue processing that overrides the data subject's rights.

This version requires the deletion of personal data after a certain period.

The Parties agree that any personal data processed under this Agreement will be deleted or anonymized once it is no longer necessary for the purposes outlined in the General Data Protection Regulation (GDPR). The Parties will ensure that personal data is deleted securely and in accordance with applicable data protection laws when it is no longer needed for the intended purpose.

This clause includes provisions for data access audits.

The Parties agree to conduct regular audits of all personal data access activities related to this Agreement. The audits will be designed to ensure compliance with the General Data Protection Regulation (GDPR) and will focus on verifying that only authorized personnel are accessing personal data for legitimate purposes.

This version incorporates "data protection by design and by default."

The Parties agree to implement "data protection by design and by default" as required by the General Data Protection Regulation (GDPR). This means that data protection measures will be integrated into the design of processing activities and systems from the outset, and only the minimum amount of personal data necessary for each processing purpose will be processed.

This clause mandates periodic privacy impact assessments.

The Parties agree to conduct periodic Privacy Impact Assessments (PIAs) to evaluate any potential risks associated with the processing of personal data under this Agreement. The PIAs will be conducted at least annually or whenever there is a significant change in data processing activities, ensuring that the processing remains compliant with the General Data Protection Regulation (GDPR).

This clause addresses notification of changes in data processing activities.

The Parties agree to notify each other within [X] days of any material changes to the processing of personal data under this Agreement. These changes may include new processing purposes, changes in data processing locations, or the use of new data processing systems. Both Parties will ensure that any changes comply with the General Data Protection Regulation (GDPR).

This version addresses the handling of data subject access requests (DSARs).

The Parties agree to assist in responding to any data subject access requests (DSARs) received under the General Data Protection Regulation (GDPR). The Data Controller will ensure that the data subject's request is fulfilled in accordance with the GDPR, and the Data Processor will provide the necessary assistance to provide the requested information within the required timeframe.

This clause includes the appointment of a data protection officer (DPO).

The Parties agree to appoint a Data Protection Officer (DPO) to oversee compliance with the General Data Protection Regulation (GDPR). The DPO will be responsible for ensuring that all personal data processing activities are in line with the GDPR and will act as the point of contact for any data protection concerns or requests from data subjects or supervisory authorities.

This clause includes third-party audits of data processing activities.

The Parties agree that third-party audits may be conducted periodically to assess the compliance of data processing activities with the General Data Protection Regulation (GDPR). The audit will focus on reviewing the technical and organizational measures in place to protect personal data, and the results will be shared with both Parties to ensure continued compliance with GDPR.

This version addresses the right of rectification for personal data.

The Parties agree to promptly rectify any inaccurate or incomplete personal data processed under this Agreement upon request from the data subject or upon discovery of inaccuracies. The rectification will be carried out in accordance with the General Data Protection Regulation (GDPR), and both Parties will ensure that any inaccuracies are corrected without undue delay.

This clause restricts the processing of special categories of data.

The Parties agree that special categories of personal data, as defined under the General Data Protection Regulation (GDPR), will not be processed unless explicitly necessary for the purpose of this Agreement and only with the explicit consent of the data subject or where other lawful grounds for processing exist under the GDPR.

This version addresses consent for marketing activities.

The Parties agree that personal data will only be used for marketing purposes related to this Agreement if explicit consent is obtained from the data subject in compliance with the General Data Protection Regulation (GDPR). Data subjects will be informed of their right to withdraw consent at any time, and marketing practices will adhere to the requirements set forth by the GDPR.

This clause defines the responsibilities of data processors.

The Parties agree that, as a Data Processor, [Party B] will only process personal data in accordance with the documented instructions of the Data Controller, [Party A]. The Data Processor shall not process personal data for any purposes other than those outlined in this Agreement and will ensure compliance with the General Data Protection Regulation (GDPR) at all times.

This version includes obligations for data protection training.

The Parties agree to provide regular data protection training to all employees involved in the processing of personal data under this Agreement. The training will cover the obligations and responsibilities under the General Data Protection Regulation (GDPR), data security best practices, and the rights of data subjects.

This clause limits the use of data profiling.

The Parties agree that personal data will not be used for profiling purposes unless explicitly required by this Agreement or authorized by the data subject. Any profiling activities will comply with the General Data Protection Regulation (GDPR) and ensure that data subjects are informed of their right to object to such processing.

This version includes provisions for data portability.

The Parties agree to ensure that data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, as specified in the General Data Protection Regulation (GDPR). Upon request, the Parties will provide the data to the data subject or transfer it directly to another data controller, if requested.

This clause includes confidentiality obligations for personal data processing.

The Parties agree that any personnel involved in the processing of personal data under this Agreement will be bound by confidentiality obligations. Personal data shall not be disclosed to unauthorized individuals or third parties, and the Parties shall ensure that all individuals handling personal data are aware of their duties under the General Data Protection Regulation (GDPR).

This version restricts data sharing with external partners.

The Parties agree that personal data will not be shared with external partners or third-party service providers unless specifically required by this Agreement or authorized by the data subject. Any sharing of personal data with third parties must comply with the General Data Protection Regulation (GDPR) and will be subject to appropriate data protection agreements.

This clause addresses the need for data protection impact assessments (DPIAs).

The Parties agree to conduct a Data Protection Impact Assessment (DPIA) when necessary, particularly if the processing of personal data is likely to result in a high risk to the rights and freedoms of data subjects. The DPIA will be carried out in compliance with the General Data Protection Regulation (GDPR), and any identified risks will be mitigated accordingly.

This version addresses the monitoring of processing activities.

The Parties agree to continuously monitor all personal data processing activities to ensure compliance with the General Data Protection Regulation (GDPR). Both Parties will implement mechanisms to track and assess the effectiveness of their data protection measures and will make adjustments as necessary to remain compliant with GDPR.

This clause specifies obligations for cross-border data transfers.

The Parties agree that any transfer of personal data outside of the European Economic Area (EEA) will be conducted in compliance with the General Data Protection Regulation (GDPR). Cross-border data transfers will be subject to the use of adequate safeguards such as Standard Contractual Clauses (SCCs) or other legally acceptable mechanisms to ensure that data protection is maintained.

This version provides for correcting inaccurate data.

The Parties agree that if personal data processed under this Agreement is found to be inaccurate, it will be promptly corrected or erased in accordance with the General Data Protection Regulation (GDPR). Both Parties will ensure that inaccurate or incomplete data is rectified as soon as possible to comply with the data subject’s rights.

This article contains general legal information and does not contain legal advice. Cobrief is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.

Last updated 24 Mar 2025

Introduction

GDPR clause (general)

GDPR clause (with data processing roles)

GDPR clause (with consent requirements)

GDPR clause (with data protection rights)

GDPR clause (with data security requirements)

GDPR clause (with breach notification)

GDPR clause (with data retention and deletion)

GDPR clause (with international data transfers)

GDPR clause (with sub-processing requirements)

GDPR clause (with audit rights)

GDPR clause (with data protection impact assessment)

GDPR clause (with data minimization)

GDPR clause (with data subject access request handling)

GDPR clause (with third-party processor assurances)

GDPR clause (with confidentiality of personal data)

GDPR clause (with rights to modify processing terms)

GDPR clause (with direct responsibility for data protection)

GDPR clause (with security breach reporting timeline)

GDPR clause (with explicit data processing agreement)

GDPR clause (with restrictions on automated decision-making)

GDPR clause (with requirements for pseudonymization)

GDPR clause (with third-party audits for GDPR compliance)

GDPR clause (with restrictions on profiling)

GDPR clause (with periodic data protection training)

GDPR clause (with encryption requirements)

GDPR clause (with right to erasure)

GDPR clause (with explicit processing purposes)

GDPR clause (with data subject consent management)

GDPR clause (with data portability rights)

GDPR clause (with notification of processing changes)

GDPR clause (with assistance in data protection impact assessments)

GDPR clause (with provision for corrective actions)

GDPR clause (with restrictions on joint processing)

GDPR clause (with requirements for data access control)

GDPR clause (with explicit reporting of processing activities)

GDPR clause (with assurance of data protection by design)

GDPR clause (with third-party compliance)

GDPR clause (with the right to restrict processing)

GDPR clause (with provision for data subject objections)

GDPR clause (with regular data protection assessments)

GDPR clause (with provision for handling third-party requests)

GDPR clause (with privacy by default)

GDPR clause (with monitoring for GDPR compliance)

GDPR clause (with provision for rectification of data)

GDPR clause (with risk mitigation for data processing)

GDPR clause (with data subject’s right to restrict processing)

GDPR clause (with data sharing restrictions)

GDPR clause (with explicit transfer terms for international data)

GDPR clause (with provision for joint data controller responsibilities)

GDPR clause (with third-party processor responsibility)

GDPR clause (with data retention limit)

GDPR clause (with specific data security obligations)

GDPR clause (with right of rectification and erasure)

GDPR clause (with obligation to notify authorities of data breaches)

GDPR clause (with transparency of data processing practices)

GDPR clause (with subcontractor compliance)

GDPR clause (with data subject's right to object to processing)

GDPR clause (with obligations for the deletion of personal data)

GDPR clause (with provision for data access audits)

GDPR clause (with data protection by design and by default)

GDPR clause (with provision for periodic privacy impact assessments)

GDPR clause (with notification of changes in data processing)

GDPR clause (with data subject access request handling)

GDPR clause (with provision for data protection officer)

GDPR clause (with provision for third-party audits of data processing activities)

GDPR clause (with right to rectification of data)

GDPR clause (with restrictions on processing special categories of data)

GDPR clause (with requirement for explicit consent in marketing activities)

GDPR clause (with responsibilities for data processors)

GDPR clause (with obligations for data protection training)

GDPR clause (with restrictions on data profiling)

GDPR clause (with provisions for data subject’s right to portability)

GDPR clause (with confidentiality obligations)

GDPR clause (with restrictions on data sharing with external partners)

GDPR clause (with provision for data protection impact assessments)

GDPR clause (with provision for monitoring processing activities)

GDPR clause (with obligations regarding cross-border data transfers)

GDPR clause (with provisions for correcting inaccurate data)