Publication date : 02/24/2026
Course : Integrate relevant contractual clauses in a changing regulatory contextRGPD, NIS2, DORA, IA Act, CRA
Practical course - 3d
- 21h00 - Ref. CTN
|
Download in PDF format
Share this course by email
 | Identify contractual clauses to RGPD compliance and recent regulations NIS2, DORA, CRA, IA Act, etc. |
| Adapting contracts to suit different roles (controller, subcontractor, etc.) |
| Integrating data protection and cybersecurity into contracts |
| Secure relations with partners, service providers and subsidiaries in a complex regulatory environment |
| Prevent legal, financial and reputational risks |
Intended audience
DPOs, CISOs, IT, digital and data project managers, contract managers, in-house lawyers and operational departments involved in contractualization.
Prerequisites
Basic knowledge of contract law and RGPD fundamentals.
Practical details
Teaching methods
Case studies and analysis of real documents, practical exercises and negotiation simulations.
Course schedule
1 Contractual issues of the RGPD
- Essential reminders of the RGPD (principles, roles, obligations).
- Risks associated with non-contractual processing.
- Jurisprudence, CNIL controls, sanctions.
2 Identify roles to qualify parties to the contract
- Data controller, processor, co-responsibility.
- Contractual consequences of legal qualification.
Storyboarding workshops
Concrete examples: IT service providers, SaaS publishers, marketing agencies.
3 Nuance according to its contractual role
- _1_The data controller (RT) :
- Determines the essential purposes and means of processing.
- Strictly supervises subcontractors via a contract that complies with Article 28 RGPD.
- Key obligations: checking compliance, enforcing safety, supervising subcontractors, cooperating with the authorities.
- _2_The Subcontractor (ST) :
- Processes data on behalf of a RT.
- Beware of abusive clauses: unlimited liability, unilateral audits.
- Negotiate the balance of obligations.
- _3_The RT facing a big ST :
- ST imposes its standard clauses on you (GAFAM, cloud, etc.).
- Identify critical clauses, provide appendices, document arbitrations.
- _4_Cases of co-responsibility :
- Clear agreement on sharing obligations.
- Example: white-label platform.
4 Must-have clauses
- Processing purposes, duration, nature, categories of data.
- Subcontractor obligations (Article 28 RGPD).
- Cooperation, security, audit and notification clauses.
- Confidentiality, reversibility, data deletion.
Case study
Analysis of an existing contract (SaaS, outsourcing, HR management). Detection of gaps or unsuitable wording. Conforming and operational reformulation.
5 RGPD clauses and drafting: international data transfers
- Control of transfers outside the EU.
- Standard contractual clauses (CCT 2021), BCR, derogations.
- Special cases: international groups, cloud.
6 Articulating RGPD and other contractual requirements
- Integration into GTC, GCU, customer/supplier contracts.
- Harmonization with security clauses, SLAs, technical appendices.
- Specific features of public procurement and calls for tender.
Case study
Réécriture d’une clause type RGPD pour différents contextes (CRM, plateforme web, traitement RH). Équilibre entre conformité et souplesse contractuelle. Dialogue avec les parties : DSI, juristes, achats.
7 Transversality with new regulations
- Global compliance clause.
- RGPD, IA Act (high-risk systems).
- NIS2 (cybersecurity), DORA (operational resilience), CRA (product cybersecurity).
- Examples of evolving formulations for different types of treatment or service.
- Safety net clause" and regulatory adaptation clause.
8 RGPD negotiation strategies
- Anticipate objections (cost, feasibility, liability).
- Typical arguments according to contractual position.
- Guarantees, insurance, limitations of liability.
Hands-on work
Objectif : intégrer une clause conforme RGPD dans un contrat déséquilibré. Simulation d’un échange entre client et prestataire. Jeu de rôle : juriste, acheteur, DPO, fournisseur.
9 Building a contractual toolbox
- Ready-to-use clauses.
- Model endorsements/appendices Article 28.
- RGPD contractual audit form.
PARTICIPANTS
DPOs, CISOs, IT, digital and data project managers, contract managers, in-house lawyers and operational departments involved in contractualization.
PREREQUISITES
Basic knowledge of contract law and RGPD fundamentals.
TRAINER QUALIFICATIONS
The experts leading the training are specialists in the covered subjects. They have been approved by our instructional teams for both their professional knowledge and their teaching ability, for each course they teach. They have at least five to ten years of experience in their field and hold (or have held) decision-making positions in companies.
ASSESSMENT TERMS
The trainer evaluates each participant’s academic progress throughout the training using multiple choice, scenarios, hands-on work and more.
Participants also complete a placement test before and after the course to measure the skills they’ve developed.
TERMS AND DEADLINES
Registration must be completed 24 hours before the start of the training.
ACCESSIBILITY FOR PEOPLE WITH DISABILITIES
Do you need special accessibility accommodations? Contact Mrs. Fosse, Disability Manager, at psh-accueil@orsys.fr to review your request and its feasibility.
DPOs, CISOs, IT, digital and data project managers, contract managers, in-house lawyers and operational departments involved in contractualization.
PREREQUISITES
Basic knowledge of contract law and RGPD fundamentals.
TRAINER QUALIFICATIONS
The experts leading the training are specialists in the covered subjects. They have been approved by our instructional teams for both their professional knowledge and their teaching ability, for each course they teach. They have at least five to ten years of experience in their field and hold (or have held) decision-making positions in companies.
ASSESSMENT TERMS
The trainer evaluates each participant’s academic progress throughout the training using multiple choice, scenarios, hands-on work and more.
Participants also complete a placement test before and after the course to measure the skills they’ve developed.
TEACHING AIDS AND TECHNICAL RESOURCES
• The main teaching aids and instructional methods used in the training are audiovisual aids, documentation and course material, hands-on application exercises and corrected exercises for practical training courses, case studies and coverage of real cases for training seminars.
• At the end of each course or seminar, ORSYS provides participants with a course evaluation questionnaire that is analysed by our instructional teams.
• A check-in sheet for each half-day of attendance is provided at the end of the training, along with a course completion certificate if the trainee attended the entire session.
• The main teaching aids and instructional methods used in the training are audiovisual aids, documentation and course material, hands-on application exercises and corrected exercises for practical training courses, case studies and coverage of real cases for training seminars.
• At the end of each course or seminar, ORSYS provides participants with a course evaluation questionnaire that is analysed by our instructional teams.
• A check-in sheet for each half-day of attendance is provided at the end of the training, along with a course completion certificate if the trainee attended the entire session.
TERMS AND DEADLINES
Registration must be completed 24 hours before the start of the training.
ACCESSIBILITY FOR PEOPLE WITH DISABILITIES
Do you need special accessibility accommodations? Contact Mrs. Fosse, Disability Manager, at psh-accueil@orsys.fr to review your request and its feasibility.
Dates and locations
Select your location or opt for the remote class then choose your date.
Remote class
Last places available
Guaranteed date, in person or remotely
Guaranteed session