Personal data protection

Our clients often ask us to adapt the personal data protection clauses of their contracts, including their medical research contracts, an area in which we have a particular expertise.

We have an international approach taking into account the extraterritorial scope of the GDPR and other data protection laws, the European, British and Swiss adequacy decisions and regulations, and the European third-country transfer standard contractual clauses (as completed by the British or Swiss addenda and possible supplementary measures).

We are used to tackling difficult issues for which the answer varies from one European country to the other, such as:

• if and when pseudonymised data can be assimilated to anonymised data;
• whether one acts as a processor, a joint controller and/or an independent controller.

We also draft all the other documents which a business (or other organisation) is required to have in order to comply with the GDPR: records of processing activities; privacy notices to clients and potential clients, employees and job applicants, etc.; policies for creating new data processing activities complying with the principles of article 5 of the GDPR, for handling access and other requests of data subjects and for documenting and notifying personal data breaches; questionnaires for assessing service providers.