How to write clear data management agreements under GDPR

You're probably already familiar with the fact that you need to have a contract that the customer agrees to in order to save their personal data. Thanks to the Personal Data Act, it has not been allowed to save data just like that, but on the other hand, there have not been many requirements for how it should be done when you ask for the customer's approval, and this is above all where the big change took place when the GDPR, that is, the General Data Protection Regulation, came into force.

So what did the Personal Data Act say, and how does it differ from what the GDPR says? Well, the Personal Data Act said that you can process personal data if the data subject gives their consent (or if the law requires you to do so). In practice, this meant that it was okay to have a very long contract that mentioned data management somewhere, but that nobody bothered to read.

Moreover, the customer could approve the agreement with a checkbox. The GDPR, on the other hand, both requires the customer to actively give their consent (no pre-ticked boxes!) and also prevents you from designing the contracts however you want.

Here's what the Swedish translation of the GDPR, the General Data Protection Regulation, says you should do when asking for permission to collect data:

If the data subject's consent is given in a written statement that also relates to other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters in an intelligible and easily accessible form, using clear and plain language.

So, this means that if you are writing a contract where you talk about data processing, but also about other things, you need to take the above quotes into account in the data processing part of the contract. Below we will take a closer look at what this means for you as a contract writer, and provide three concrete tips on how to write them.

Writing contracts under the GDPR in three steps - how to do it

When you write a contract, there are some new requirements on how you express yourself, which apply specifically to the part of the contract that concerns data processing. Here we have divided the requirements into three parts and give you tips on how to meet them.

Requirement 1: The data management part should be different from the rest of the contract

This change in the contract is not really that difficult to make: if you have a contract that talks about your data management, but also covers other things, such as lock-in periods, password requirements and membership benefits, the data management section needs to be marked out in some way. It should be easy for the reader to quickly navigate the contract and find the data management section.

So you should not: write a single running text with all the terms and conditions for everything together without separating them.

Rather, you should

• keep the data management section separate from the rest of the contract, preferably on a separate page and with some graphic markers
• give the data management section a clear heading that tells readers that they can read about data management right there
• divide the rest of the contract by topic in the same way. While the GDPR doesn't require it, it's a nice bonus to give to readers.

Requirement 2: The data management section should be in an understandable and accessible form

To make the format as accessible as possible, there is one important question you need to ask yourself first: how much do you need to tell your readers? You should of course include everything that the GDPR requires, but often we tend to write much more than is really needed. Try to keep it as short as possible. It should also be possible to read the contract without being disturbed by a cluttered background image, long paragraphs or text that is too small.

Then, when you write the content itself, you need to keep things in a logical order, in order to respect the requirement of comprehensibility. Information about the same subject should be in the same place, headings should be informative, and if the agreement is long, you should summarize the most important points in a bulleted list, for example. Then anyone who just wants to read it clearly can look there first to get a quick overview.

You should not: Include information that is not relevant to the readers.

Rather, you should:

• Choose information that is necessary and relevant.
• Think about the appearance of the contract, both for different screens and printing.
• Summarize and write bullet points where necessary.

Requirement 3: The data management section should have clear and plain language

The third and final thing you can do to comply with the GDPR is to ensure that the language is clear and easy for the reader to follow.

Terms and conditions and contracts often contain some terms that cannot be avoided, but they can always be explained and the language of the text improved in other ways.

Talk about who is going to do something

Start by thinking about how you describe things to be done in the contract. Is it clear that someone will do something, and who will do it?

Two signs that you are on the right track are that there are people involved (the organization, the controller or the customer, for example) and that there are plenty of verbs that signal the actual events.

Don't write: The agreement may change, requiring a new approval.

Instead, write: We at the Company may change the agreement, which requires the customer to re-approve the agreement.

Don't make it complicated

You may have thought about copying what the Swedish Data Protection Regulation says to make sure you've included everything. Unfortunately, this is not a very good idea, as the GDPR is a legal and rather complicated text to read.

It contains a lot of things to avoid: long sentences, lots of parentheses and complicated sentence structure that makes it difficult to follow the reasoning. It's much better to write what you mean and try to keep the language simple.

Do not write: In order to maintain good customer and register care (or to be able to provide the service in the best possible way), the Company AB may supplement the information provided by the customer when registering on the website or through contact with customer service with information from private and public registers, such as the state's personal address register SPAR.

Please note:

• The company AB may need to supplement the information provided by the customer when registering on the website or through our customer service. We do this, for example, by retrieving the customer's address information from the state's personal address register SPAR. We supplement the data in order to provide the service and to maintain good customer and register care.

Be consistent

The next step is to make sure you are consistent in the way you refer to your organization, the customer, the data, and anything else that appears in the contract. Choose a name for each important item and tell them in the introduction of the contract that you will use that particular word throughout the rest of the contract. This will make it much easier for readers to follow, and it will also make it easier for you to distinguish between things.

For example, if you use the word "we" without specifying who it refers to, it could mean you and the reader, you and your colleagues in the department, the whole organization, or perhaps the organization and all subcontractors.

If you instead tell them that "we" means "the organization, the employees but not our suppliers", you can simply choose other words when you want to include other people.

Don't write: These are the terms of membership of The Company Ltd.

Rather, write: These are the terms and conditions of membership of Company AB. When we talk about "Company Ltd", "we", "our", "ours" and "us" in these terms and conditions, we mean Company Ltd and its employees, but not our subcontractors.