Contract Management tools and CLM (Contract Lifecycle Management) practices offer the opportunity to integrate managed processes from the very beginning of the data stream: the contracts. Article 28 of GDPR provides some guidelines that we develop in this paper.

Contracts and GDPR

Organizations can almost easily identify the source of sensitive data in their contracts, either because contracts de facto represent the data collecting events (B2C and B2B) or because data treatment or manipulation is the subject of contracts themselves (B2B). This latter is the case of third parties involved in data manipulation or data treatment, the so-called “processors” by article 28 of the GDPR. Relationship with these parties is regulated by contracts.

Article 28

EU general data protection regulation 2016/679 (GDPR), in effect since 25 May 2018, states in Article 28 that

“…the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” 

Wording in bold characters in the above quoted text is not our personal typographic choice. The impact of this article has not been overviewed by Brussels yet but the concept is crystal clear: processor’s responsibility goes beyond his own organization; it extends to the whole business network it relies on. This also affects foreign companies and organizations that treat EU citizen’s data.

When dealing with sensitive data the governance of relations with processors by contracts is not a common-sense or best practice anymore but an obligation as dictates Article 28, paragraph nr. 3:

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller […]”

From a practical point of view, organizations should develop governance procedures for managing the sensitive data chain and all relations with processors assuring their compliance. This is where CLM can help.

How can CLM help?

CLM’s basic principle is taking full control of the contract lifecycle and all contract related aspects impacting organizational issues. This means that by using CLM practices companies have the ability to control and manage direct relations between business processes and contracts, considering the latter as sources.

It is a fact that Legal Audit is a fast and precise operation when CLM tools are adopted. The same cannot be said about traditional or manual legal management: in one of our customers the Legal Audit process was reduced, after adopting CLM, from 2 or 3 days to 30 minutes.

All the above can be translated into the following general actions:

  1. Identifying specific contracts and contract categories that represent sources of sensitive data.
  2. Identifying IT and service contracts with third-parties and contractors related to a).
  3. Collecting contracts in b) for auditing the GDPR required guarantees and compliancy of the involved parties for the whole data stream.
  4. Integrating CLM with Business Process Management and its link to the GDPR process management: data treatment audit items should be identified with their legal sources in order to guarantee their management and enhance all following process maintenance.
  5. Evaluating the opportunity of sharing the same tools as common language between controller and processor.
  6. Managing GDPR processes (audit and maintenance) using the legal perspective as a starting point.


Organizations need support regarding EU sensitive data manipulation compliance; complex activities must be managed involving IT and service contracts review. Contract Lifecycle Management tools help organizations in the tedious task of identifying and collecting their processors for a correct GDPR risk management.

This article is also available in LinkedIn, in pdf format, here.