According to the GDPR, what does not have to be covered in the written contract?

A written contract between a controller and a processor is called a data processing agreement.

According to the GDPR, what does not have to be covered in the written contract?
A . The contractor code of business ethics and conduct that is used.
B . Which data are covered by the data processing agreement
C . The information security and personal data breach procedures
D . The technical and organizational measures implemented

View Answer

Answer: A

Explanation:

The contractor code of business ethics and conduct that is used. Correct. Although the GDPR endorses the use of codes of conduct and certification, it is not an obligation to have this clause to demonstrate compliance with the GDPR. (Literature: A, Chapter 8; GDPR Article 28(3))

The information security and personal data breach procedures. Incorrect. This is mandatory because it describes the obligations of the processor regarding the notification of a personal data breach (by the controller) to the supervisory authority.

The technical and organizational measures implemented. Incorrect. This is mandatory because it describes technical and organizational measures the processor must take.

Which data are covered by the data processing agreement. Incorrect. This is mandatory because it describes the personal data, including special category personal data, covered by the contract.