GDPR & contract management

How to ensure data protection and compliance with privacy regulations

Posted November 16, 2023

We have a naturally strong focus on data protection and compliance. Even before the General Data Protection Regulation (GDPR) Act came into force on 25 May 2018, COMAsystem was developed with “Privacy by Design” in mind. This means that data placed with us is fundamentally protected through our technological design, i.e. the technology package on which the solution is organised.

As you know, the background of legislation is designed to increase focus on the use of personal data by requiring companies and organisations to know where, how and why they use personal data – as well as where and how data is stored, shared and deleted.

Business operations aren’t getting less digital, and neither is the amount of data – and that’s why we focus on the main areas you need to be aware of in order to secure your sensitive personal data in your contract management.

Third-country transfers and data processing agreements

The term third-country transfers refers to the sharing of personal data by your organisation with external third parties outside the EU/EEA, such as suppliers, service providers, partners and subsidiaries.

Exchanging data with your suppliers, service providers, partners and subsidiaries can be necessary, especially as more and more software solutions move to the cloud (Software As A Service) – such as contract management.

“It’s your obligation as a data controller”

In order to comply with GDPR requirements, you must be particularly aware that if they process personally identifiable data entrusted to you – as a data processor of, for example, your customers’ and employees’ personal data, they must provide information about what data is processed, how data is stored and the purpose of this data processing in the Data Protection Agreement (DPA) concluded between them and you.

It is your obligation as a data controller to ensure that data entrusted to you is processed under the same conditions as you have received it – therefore you must at least consider the following:

Where is the data stored?

Is it stored within the EU/EEA on equipment controlled by the supplier?

Which deletion policy is in place?

Is data deleted when it is deleted on your premises and when the co-operation ends?

Do they use subcontractors?

Do they make third country transfers in the solution they offer you?

A procedure in the event of a security breach?

Is it described how this is handled?

“The supplier must be able to provide an ISAE 3000 Type II declaration. This is usually a good indicator of how the supplier works with both IT security and GDPR”

Christian Richter-Pedersen
CEO & DPO, COMAsystem

These points should all be included in the data processing agreement – you can see the data processing agreement that forms the basis for the processing of data we do on behalf of our customers here, it is based on the Danish Data Protection Agency’s template.

Ensure that the supplier has an ISAE 3000 Type II declaration, this is the specific declaration type that applies, among other things, in relation to the General Data Protection Regulation and the Data Protection Act (GDPR) – it should be seen as a framework for control objectives and control activities that, for example, relate to what security measures and processes a data processor has set up and how they work.

Automatic deletion of sensitive personal data

You cannot store sensitive personal data forever, but as long as there is an active relationship between you or a legal requirement to store it, you can keep it.

According to the Danish Bookkeeping Act, accounting material must be stored for 5 years – but what about the contracts and agreements you enter into on an ongoing basis with suppliers and customers, all of which form the basis for your invoices, credit notes and vouchers?

The GDPR does not set a fixed framework for how long you can store sensitive personal data – you must therefore define how long after the end of the collaboration that you still consider your relationship to be active.

“Retire your printer, scanner and ballpoint pen”

For example, you’ve entered into a three-year contract with a customer that doesn’t renew and the relationship ends, but you can see from your historical customer data that a certain amount returns after four years – therefore you can argue in favour of storing customer data containing personal data for up to seven years.

When using contract management, it’s therefore important to keep track of your deletion policies as data retention periods can vary from purchase, sales and employment contracts.

In our dedicated contract management system, we follow the standard five years of the Danish Bookkeeping Act, but it is up to you as users to define your standard deletion deadlines on purchase, sales and employment contracts or to specify a customised deletion date for each contract – in line with what you have disclosed to your customers, suppliers and partners.

“The data we store on behalf of our customers is always the customers’ data – it is the customer who decides on the duration of storage and possible deletion”

Christian Richter-Pedersen
CEO & DPO, COMAsystem

Centralisation and digital signatures

When you store your contracts in a contract management system, you can centralise your contract management processes, the storage of contract data and associated documents.

Centralised storage and management, combined with user management, allows each contract manager to monitor and react to events related to individual contracts when required. This could be a change in contract status from tender to approved and in operation or cancelled when the contractual relationship ends.

“Take one step at a time”

Retire your printer, scanner and ballpoint pen and sign your contacts digitally so that the entire process is electronic and logged on the contract in question – making it possible to ensure that the signatory is validated, for example via MitID.

If you choose the COMAsystem contract management system, you can send documents for digital signing by one or more parties, ensuring that everyone receives the final agreement with designated e-signatures and the documents are automatically saved to the contract to which they are linked.

“A contract management system enables consistent storage and updating of contract data so that it is not passed around via email and avoid personal data flowing uncontrollably within the organisation”

Christian Richter-Pedersen
CEO & DPO, COMAsystem

Get the processes under control

In our experience, companies and organisations want to be in control of their personal data processing – where you are in the process of mapping and setting up procedures often depends on resources.

One of the places where many are already 100% digitised is in their bookkeeping – there are established procedures for approving invoices and the accounting system stores all relevant invoices, credit notes and vouchers in accordance with the Danish Bookkeeping Act.

Now all you need is the rest, the correspondence, contracts and agreements behind the incoming and outgoing accounting documents – this may seem overwhelming. Our recommendation is to do what you would do if you were climbing Mount Everest – take one step at a time.

With preparation and the right equipment, you’ll reach your goal safely and faster, which is why we’ve developed COMAsystem – a user-friendly and intuitive contract management system that doesn’t drain your organisation’s resources. We support you throughout the onboarding process and structure the solution to match your workflows.

Take the first step – book an online demo and learn how we can secure your contract data and data protection compliance.