Abstract

The article discusses fundamental questions connected with the duty of data controllers and data processors to conclude data processing contracts referred to in Art. 28 of the GDPR. In particular, it analyses the procedures for giving access to or transferring personal data to a third party, and the criteria for distinguishing individual situations.

It also discusses what terms should be covered by a correctly formulated outsourcing contract for personal data processing and describes the solutions commonly used in transactions.