Data processing agreement approach for GDPR

Blog Post created by sgeering on Apr 23, 2018

One key requirement under the GDPR is that "data controllers" and "data processors" need to have a contract in place. This contract needs to include mandatory provisions. We have just published a client bulletin on Behind the Blackboard to explain our approach to this requirement and include a summary below.


Blackboard has already updated its standard Data Processing Addendum (“Addendum”) last year with all required provisions, to assist clients to meet their legal obligations. We have now created an approach to ensure that clients can benefit from the Addendum automatically regardless of the contractual scenarios outlined below.





Contract in place

Current situation



Blackboard’s current version of the master agreement

Our GDPR-ready Addendum is already automatically incorporated by reference

The GDPR-ready Addendum already applies and will continue to apply.


Specifically negotiated agreement with GDPR provisions (e.g. based on client's documentation))

The contract and/or data processing addendum will include the required GDPR provisions.

Clients can rely on the GDPR provisions they negotiated with us. These will continue to apply.


Older versions of Blackboard’s master agreement

May not automatically incorporate our GDPR-ready Addendum

The GDPR-ready Addendum will automatically apply.


Specifically negotiated agreements without GDPR provisions

Do not include required GDPR provisions.

The standard Addendum will automatically apply.*


  *For Scenario 4, we consider our standard Addendum as the minimum contractual data privacy terms to apply. If clients have a specifically negotiated agreement with us with data privacy provisions that are more favourable to them and which do not conflict with the required GDPR provisions in our Addendum, we will consider those data privacy provisions applicable as well.