Now it might seem that we will start to assess other current issues, more related to sport and the frustrations and future desires of some teams. We hear about them every day about additions, deletions, new contracts and possible renewals... but that is not really what we have to deal with. It does have to do with contracts, but with those of those in charge of data processing.
One of the last vestiges that were still in force of the old LOPD was the validity of the contracts of those in charge of processing, in the cases of contracts signed before May 25, 2018. These had to be valid until the date indicated in the contracts or, in the case of indefinite duration, until May 25, 2022. And the day has come.
The ideal is not to have reached this point without having moved the file because it avoids being discovered. In any case, it is now absolutely essential to adapt the contracts prior to the General Data Protection Regulation. As is logical, all the new content that regulates the GDPR as an evolution of the previous regulation is not adequately contemplated in the old contracts and it is a high risk for the data controller not to have this well linked with the processors. Four years have passed since the GDPR came into force and it is a good time for everyone to take a look inside to self-assess themselves, taking advantage of the opportunity.
Let's review. Who is the data controller? The natural or legal person chosen by the data controller to process the data for specific purposes. That is: managers, video surveillance companies, communication agencies, IT maintenance companies... Therefore, it is advisable to analyze each case on a case-by-case basis. It may not be necessary in all cases to sign a new service provision contract, but in some cases it may be sufficient to include an addendum containing the necessary clauses in accordance with the regulation.
In any case, it is a very good time to make a contrast and incorporate the obligation contained in the GDPR to choose only data processors who offer guarantees that they will respect the rights and freedoms of the data subjects in the processing of personal data. In other words, it is necessary to evaluate the providers who will process personal data under their own responsibility. This is very relevant if there is a case of having data processors outside the European Union. The obligations of the past are not the same as those of today and not updating them can lead to more than one scare.
