One key requirement under the GDPR is that "data controllers" and "data processors" need to have a contract in place. This contract needs to include mandatory provisions. We have just published a client bulletin on Behind the Blackboard to explain our approach to this requirement and include a summary below.
Blackboard has already updated its standard Data Processing Addendum (“Addendum”) last year with all required provisions, to assist clients to meet their legal obligations. We have now created an approach to ensure that clients can benefit from the Addendum automatically regardless of the contractual scenarios outlined below.
Contract in place
Blackboard’s current version of the master agreement
Our GDPR-ready Addendum is already automatically incorporated by reference
The GDPR-ready Addendum already applies and will continue to apply.
Specifically negotiated agreement with GDPR provisions (e.g. based on client's documentation))
The contract and/or data processing addendum will include the required GDPR provisions.
Clients can rely on the GDPR provisions they negotiated with us. These will continue to apply.
Older versions of Blackboard’s master agreement
May not automatically incorporate our GDPR-ready Addendum
The GDPR-ready Addendum will automatically apply.
Specifically negotiated agreements without GDPR provisions
Do not include required GDPR provisions.
The standard Addendum will automatically apply.*
*For Scenario 4, we consider our standard Addendum as the minimum contractual data privacy terms to apply. If clients have a specifically negotiated agreement with us with data privacy provisions that are more favourable to them and which do not conflict with the required GDPR provisions in our Addendum, we will consider those data privacy provisions applicable as well.