GDPR Compliance Checklist for International Contracts

The General Data Protection Regulation has been in force since May 2018, and enforcement has accelerated significantly. The EU's data protection authorities have collectively issued billions of euros in fines — with Meta, Amazon, and Google each receiving fines exceeding €700 million — and regulators have made clear that the honeymoon period for businesses to get their data practices in order is definitively over.

For contracts, GDPR creates specific requirements that go beyond general privacy policy compliance. When your business processes personal data on behalf of customers, or when you share personal data with vendors and service providers, specific contractual provisions are legally required — not just best practice, but a mandatory compliance obligation whose absence is itself a violation.

The Foundational Distinction: Controller vs. Processor

Every GDPR analysis begins with classification. A data controller determines the purposes and means of processing personal data — the business that decides to collect customer email addresses and use them for marketing is a controller. A data processor processes personal data on behalf of a controller — the email marketing platform that sends those emails under the controller's instructions is a processor.

This distinction determines which contractual obligations apply. Controllers must have a legal basis for processing personal data and must inform individuals about their data rights. Processors must process data only on documented instructions from controllers and must implement appropriate security measures. When a controller engages a processor, GDPR Article 28 requires a written contract specifying specific mandatory provisions.

The analysis isn't always clean — some entities are both controllers and processors for different data flows, and joint controller arrangements require their own contractual framework. Getting the classification right is the necessary first step before any contract analysis.

The GDPR Article 28 Mandatory Contract Checklist

Data Processing Agreements (DPAs) between controllers and processors must include all of the following under GDPR Article 28(3). Use this as a checklist for any agreement where personal data of EU residents is involved:

☐ Processing only on documented instructions
The processor must process personal data only on documented instructions from the controller, including transfers of personal data to third countries. Controllers must provide these instructions in writing — typically through the DPA itself plus any applicable statement of work or service description.

☐ Confidentiality obligations on authorized personnel
Persons authorized to process personal data must be subject to confidentiality obligations — either a statutory duty of confidentiality or contractual confidentiality provisions. The DPA must confirm this requirement applies to the processor's personnel.

☐ Technical and organizational security measures
The processor must implement appropriate technical and organizational measures to ensure security appropriate to the risk — including encryption, pseudonymization, access controls, incident response procedures, and regular security testing. Many DPAs reference specific security standards (ISO 27001, SOC 2) as evidence of compliance.

☐ Subprocessor controls
Processors may not engage subprocessors without prior specific or general written authorization from the controller. For general authorization (where the processor maintains a subprocessor list), the controller must be informed of any subprocessor changes with sufficient advance notice to allow objection. Subprocessors must be bound by the same data protection obligations as the primary processor.

☐ Data subject rights assistance
The processor must assist the controller in responding to data subject requests — access requests, erasure requests, portability requests, and objections to processing. DPAs should specify the process and timeline for this assistance.

☐ Security and breach assistance
The processor must assist the controller in ensuring compliance with security obligations, data protection impact assessment requirements, prior consultation obligations, and data breach notification requirements. GDPR requires notification to supervisory authorities within 72 hours of discovering a breach — processor assistance timelines should enable this.

☐ Deletion or return of data
Upon termination of processing services, the processor must delete or return all personal data to the controller and delete existing copies, unless applicable law requires retention. DPAs should specify which option applies and within what timeframe.

☐ Audit rights and information provision
The processor must make available all information necessary to demonstrate compliance with GDPR obligations and allow for and contribute to audits and inspections by the controller or an auditor mandated by the controller. Reasonable audit procedures and cost allocation should be specified.

International Data Transfer Requirements

When personal data of EU residents is transferred to countries outside the EU/EEA that haven't received an "adequacy decision" from the European Commission — including the United States — a valid transfer mechanism must be in place. The three primary mechanisms are:

Standard Contractual Clauses (SCCs): The European Commission has approved standardized contract clauses that provide appropriate data protection safeguards. The 2021 SCCs replaced the prior versions and must be used for new transfer arrangements. For transfers to data importers in the U.S. and other non-adequate countries, SCCs are the most widely applicable mechanism.

EU-U.S. Data Privacy Framework (DPF): Established in 2023, the DPF allows U.S. organizations certified under the framework to receive EU personal data without SCCs. Organizations must self-certify through the U.S. Department of Commerce. However, given the history of prior EU-U.S. transfer frameworks being invalidated by the Court of Justice of the EU, many organizations continue to use SCCs as a backup even when relying on DPF certification.

Binding Corporate Rules (BCRs): Applicable for intra-group transfers within multinational corporations. BCRs require approval by a lead supervisory authority and provide a comprehensive framework for all transfers within the corporate group. The approval process is lengthy and resource-intensive, making BCRs primarily practical for large multinationals.

For contracts involving U.S. vendors processing EU personal data, the contractual checklist expands to include: confirming the applicable transfer mechanism; incorporating the required SCC modules for the specific controller-processor relationship; conducting a transfer impact assessment (TIA) documenting the legal landscape in the destination country and any supplementary measures needed; and confirming that any SCC carve-outs required by U.S. law are properly documented.

GDPR Provisions to Include in All Vendor Agreements

Even for vendor relationships that don't involve direct processing of EU personal data — but where there's any possibility of such processing — including protective provisions costs little and protects significantly:

Representation of GDPR compliance: Vendor represents that its data processing activities comply with GDPR requirements applicable to processors, including maintaining appropriate technical and organizational security measures.

Notification of processing changes: Vendor will notify customer of any changes to its processing activities, subprocessors, or security practices that may affect the customer's GDPR compliance obligations.

Data breach notification timeline: Vendor will notify customer within 24-48 hours of becoming aware of any personal data breach affecting customer data — ahead of GDPR's 72-hour supervisory authority notification requirement to enable the customer to manage their notification timeline.

Geographic processing restrictions: Vendor will process customer personal data only in specified locations, or will provide advance notice and require customer consent before processing personal data in new jurisdictions.

Data subject request assistance: Vendor will assist customer in responding to data subject requests within timelines enabling customer to comply with GDPR's one-month response requirement.

Common GDPR Contract Failures and How to Avoid Them

Incomplete DPA provisions: DPAs that omit one or more mandatory Article 28 elements are non-compliant even if a DPA exists. Use the checklist above to verify completeness.

Stale subprocessor lists: DPAs that allow processor changes to subprocessors without notification fail the subprocessor control requirement. Ensure the DPA includes a specific notification mechanism and timeframe for subprocessor changes.

Missing or invalid SCCs: Data transfers without a valid transfer mechanism are among the most common GDPR violations. Verify that SCCs are included for any U.S. vendor processing EU personal data, that the correct 2021 SCC modules are used, and that required annexes are completed.

Broad data use permissions: DPA provisions that allow vendors to use customer personal data for purposes beyond providing the contracted service — including product improvement, analytics, or training AI models — may violate the purpose limitation principle and the requirement that processing occurs only on controller instructions.

Unlimited retention provisions: GDPR's storage limitation principle requires that personal data be kept no longer than necessary for the processing purpose. DPA provisions allowing vendors to retain personal data indefinitely after contract termination may violate this requirement.

Building GDPR Compliance Into Your Contract Process

GDPR compliance shouldn't be a last-minute contract review task — it should be embedded in your vendor onboarding and contract management processes structurally.

Before any vendor relationship involving EU personal data: classify the relationship (controller-processor, joint controller, or unrelated controllers); confirm the vendor has an executed DPA template; verify the applicable transfer mechanism for international transfers; and ensure the vendor's DPA meets all Article 28 requirements using the checklist above.

Annually: review your subprocessor list against your DPA's subprocessor requirements; verify that transfer mechanisms remain valid (particularly DPF certification, which requires annual renewal); and confirm that vendors have maintained the security certifications referenced in DPA provisions.

The regulatory environment continues to evolve — new adequacy decisions, revised SCC guidance, and ongoing enforcement actions regularly affect the compliance landscape. Staying current with GDPR developments and ensuring your contract provisions reflect current requirements is an ongoing obligation, not a one-time compliance exercise.