As data privacy regulations become more pervasive across the globe and organizations increasingly handle and transfer (including across borders) meaningful volumes of personal and confidential information, the need for robust contracts to be in place is more important than ever. This webinar will provide a deep dive into privacy contracting, covering essential terms and concepts, negotiation strategies, and key practices for managing data privacy risks. Whether you're in legal, privacy, security, compliance, GRC, procurement, or otherwise, this session will include actionable insights and practical strategies to help you enhance your agreements, reduce risk, and enable your business to move fast while protecting itself. This webinar will review key aspects and considerations in privacy contracting, including: - Data processing addenda, cross-border transfer terms including EU Model Clauses/Standard Contractual Clauses, etc. - Certain legally-required provisions (as well as how to ensure compliance with those provisions) - Negotiation tactics and common issues - Recent lessons from recent regulatory actions and disputes

1. © 2025 TrustArc Inc. Proprietary and Confidential Information.
Mastering Privacy Contracting:
Key Clauses, Risks &
Negotiation Strategies

2. 2
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.

3. 3
Speakers
Val Ilchenko
General Counsel & Chief Privacy Officer
TrustArc
Dave Coogan
Associate
Paul Hastings
Kathryn Helin
Lead Counsel, Privacy
Snyk
Cathleen Doyel
Deputy General Counsel
TrustArc

4. Agenda
1. What is Privacy Contracting?
2. Where to Find Privacy Terms
3. Dynamics: Leverage & Relationships
4. Common Issues and Negotiation Tactics

5. 5
What is Privacy Contracting
● Typically addresses the handing, processing, or storage of
personal (and/or adjacent) data.
● Is frequently required under the GDPR, CCPA, and other
laws under multiple common arrangements (e.g., service
provider/data processor, sale/share, etc.)
● Can be conflated with information security provisions and
may even include them (e.g., technical measures under
Standard Contractual Clauses).
● Isn’t always negotiable (due to dynamics, structure, legal
requirements, etc.)
● Is sometimes an acceptable way to transfer data across
borders

6. 6
Where to Find Privacy Terms
● Company Docs (Non-Negotiable)
○ Privacy Policy
○ Sub-processors and Affiliates Disclosure
○ Technical and Organizational Measures (TOMS)
○ Cookie Policy
● Contracts
○ Terms of Service/End-User License Agreement
○ Data Processing Agreement (DPA)
○ Security Addendum
○ Business Associate Addendum (if applicable)

7. 7
Dynamics: Context, Leverage & Relationships
●
● Consider B2B vs. B2C
● Deal size
● Size, maturity, and industry of the negotiating parties
● What is reasonable?
● What can be operationalized?
● What is the data? Consider a sliding scale of risk.

8. 8
Top Ten Most Negotiated Provisions and Considerations
Scoping
● Considerations:
○ Types of Information
■ Customer Data
■ Personal Information
○ Volume of Information
○ Relationship of the Parties
○ Type of Processing
1

9. 9
Top Ten Most Negotiated Provisions and Considerations
Limitations on Use
● GDPR 28(3) - Processing by a processor shall be
governed by a contract or other legal act under Union or
Member State law, that is binding on the processor with
regard to the controller and that sets out the subject-matter
and duration of the processing, the nature and purpose of
the processing, the type of personal data and categories of
data subjects and the obligations and rights of the
controller
● Considerations:
○ Broad vs. limited use cases
○ Future potential use cases
○ “What could go wrong” with being too specific
2

10. 10
Top Ten Most Negotiated Provisions and Considerations
New Subprocessors
● Article 28(2) - “The processor shall not engage another
processor without prior specific or general written
authorisation of the controller”
● Considerations:
○ General authorization
○ Specific authorization
○ Process for objecting
3

11. 11
Top Ten Most Negotiated Provisions and Considerations
Security Incident Notification
● Article 33(2) of the GDPR - “The processor shall notify the
controller without undue delay after becoming aware of a
personal data breach”
● Considerations
○ Specific timing requirements (e.g., no later than)
○ Definition of security incident
4

12. 12
Top Ten Most Negotiated Provisions and Considerations
Security Incident Remediation
● Considerations:
○ Describe the remediation measures
○ Obtain approval for remediation measures
○ Vendor point of contact for updates
5

13. 13
Top Ten Most Negotiated Provisions and Considerations
Audit Rights
● Article 28(3)(h) - “allow for and contribute to audits,
including inspections, conducted by the controller or
another auditor mandated by the controller”
● Considerations:
○ Reputable third-party audit for SOC 2 Type 2 or ISO
27001
○ Which party pays for audit or inspection
○ Timing requirement
○ Non-disclosure agreement requirement
6

14. 14
Top Ten Most Negotiated Provisions and Considerations
Indemnity (and its cousin…Limitation of Liability)
● Article 28(4) - “Where that other processor fails to fulfil its
data protection obligations, the initial processor shall
remain fully liable to the controller for the performance of
that other processor’s obligations”
○ The provision is not included in Article 28(3) which
lists that the “contract or other legal act shall
stipulate”
● Considerations
○ Impact on indemnity provision in services agreement
7

15. 15
Top Ten Most Negotiated Provisions and Considerations
Standard Contractual Clauses
● Considerations:
○ Optional clauses
○ Annexes I, II and III
○ Adequacy decision(s)
8

16. 16
Top Ten Most Negotiated Provisions and Considerations
Data Subject Access Requests
● Article 28(3)(e) - “taking into account the nature of the
processing, assists the controller by appropriate technical
and organisational measures, insofar as this is possible,
for the fulfilment of the controller’s obligation to respond to
requests for exercising the data subject’s rights”
● Considerations:
○ Timing
○ What level of effort to assist?
9

17. 17
Top Ten Most Negotiated Provisions and Considerations
Technical and Organizational Measures (TOMS)
● Article 28 - “Where processing is to be carried out on behalf
of a controller, the controller shall use only processors
providing sufficient guarantees to implement appropriate
technical and organisational measures...”
● Article 32 - “the controller and the processor shall implement
appropriate technical and organisational measures to
ensure a level of security appropriate to the risk”
● Considerations:
○ Whose TOMs will be used?
○ How much is actually negotiable (e.g., a measure is a
measure)
10

18. 18
Thank You!