GDPR and your contracts: What are the requirements and how do you meet them?

GDPR sets clear requirements for how personal data is handled — including in contracts. Do you know which of your contracts involve personal data, and whether they meet the requirements?

Which contracts are affected?

All contracts where personal data is processed are affected by GDPR. This includes not only obvious cases like HR systems and customer registers, but also supplier contracts where subcontractors handle data on your behalf.

• ✓ IT suppliers and cloud services
• ✓ Payroll administration and HR systems
• ✓ Marketing tools and CRM
• ✓ Consultants with access to internal systems
• ✓ Cleaning, security and other service providers with access to premises

Data Processing Agreements (DPA)

When a third party processes personal data on your behalf, a Data Processing Agreement (DPA) is required. The agreement must specify which data is processed, the purpose, retention period and security measures.

Without a DPA you are in breach of GDPR — regardless of whether the supplier actually handles data correctly or not.

Common deficiencies

• ✗ Missing DPAs — a contract exists but the data processing agreement is missing or outdated
• ✗ Unclear data storage — the contract does not state where data is stored (EU/third country)
• ✗ No deletion procedures — the contract lacks instructions for what should happen with data when the contract ends
• ✗ Unsupported subcontractors — the supplier uses subcontractors without this being regulated in the contract

How Tagd helps with GDPR compliance

Tagd can identify which of your contracts likely involve personal data and flag if a DPA is missing. The AI reviews clauses related to data protection, storage location and security measures.

"We thought we had DPAs with all suppliers. Tagd showed that we were missing them for 12 out of 45 — including our largest IT supplier."