German Podcast Episode #214: Rahuls Schlüsselerfolge als Senior IT Counsel seit 2010 episode artwork

EPISODE · Aug 2, 2025 · 7 MIN

German Podcast Episode #214: Rahuls Schlüsselerfolge als Senior IT Counsel seit 2010

from Deutsch lernen mit „Unser Leben und unsere Erinnerungen“ auf Deutsch · host RAHUL SHARMA, NEHA KULSHRESHTHA

Neha: Welcome to the first episode of our miniseries "Rahul's Key Achievements as Senior IT Counsel since 2010". Today we discuss your work ensuring full GDPR compliance by embedding data protection clauses into vendor agreements. Rahul, you specifically integrated clauses on data minimization, breach notification, and more. Why is this so critical?  Rahul: Thank you, Neha. A vivid example is the CNIL case in France against Dedalus Biologie in 2022. Dedalus, a software vendor, was fined €1.5 million because it had no GDPR-compliant Data Processing Agreements (DPAs) with its laboratory clients following a data breach. The contracts lacked the clauses required by GDPR Article 28 on data minimization, security, and breach reporting. This shows regulators penalize companies that fail to flow down GDPR obligations to vendors.  Neha: Fascinating – this underscores that proactive contract drafting isn’t just a formality, but existential risk prevention. Another precedent would be the British Airways fine by the UK ICO in 2018, correct?  Rahul: Exactly. The ICO not only criticized BA's response to the breach but also noted BA had insufficient security safeguards in vendor arrangements. This contributed to the £20 million fine. Both cases prove: Embedding GDPR clauses in contracts is essential to avoid liability – not mere formalism.  Neha: Let’s delve into a specific case study you analyzed. You mentioned "TechCo", a US tech company expanding into the EU?  Rahul: Correct. TechCo engaged a cloud service provider without a proper DPA. When a breach occurred on the vendor’s servers, contractual clauses requiring prompt notification were absent. TechCo learned of the breach too late to meet GDPR’s 72-hour notification deadline (Article 33). An EU regulator consequently fined TechCo for violations of GDPR Articles 28 and 33.  Neha: And this is where your approach comes in: Had you acted as Counsel for TechCo, would your standard breach notification and minimization clauses have taken effect?  Rahul: Exactly. The vendor would have been contractually obligated to inform TechCo immediately and implement strict data protections. This would likely have prevented the delayed notification – and possibly even the breach itself. Subsequently, TechCo could have demonstrated to regulators that it had taken appropriate contractual measures, potentially reducing liability.  Neha: So robust contracts function both as a "sword" to steer vendor behavior and a "shield" to document compliance efforts?  Rahul: Precisely summarized. This personal case study I conducted in my free time illustrates this dual purpose.  Neha: Which legal frameworks and authorities are key here?  Rahul: Primarily the GDPR (EU) – especially Article 28 mandating processing agreements with specific clauses, and Articles 33-34 on notification duties. Enforcement is by national Data Protection Authorities like CNIL, ICO, or Italy’s Garante, which sanctioned a company in 2023 for lacking a DPA with a call center vendor. The European Data Protection Board (EDPB) issues guidance, such as EDPB Guideline 07/2020 stressing both controllers and processors must ensure a contract exists.  Neha: And in the US?  Rahul: While no direct GDPR equivalent exists there, sectoral laws like HIPAA for health data require similar agreements – "Business Associate Agreements". The "data minimization" principle originates from GDPR Article 5(1)(c), breach notification from Article 33. The US Federal Trade Commission (FTC) can also act if lacking vendor safeguards cause consumer harm, as seen in an action against a mortgage analytics company. My work ensures vendors are contractually bound to uphold these principles and report incidents.  Neha: A thorough overview – thank you, Rahul! Next episode: IT contract design in the cloud era. Until then! ** Read German text here: https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?usp=sharing

Neha: Welcome to the first episode of our miniseries "Rahul's Key Achievements as Senior IT Counsel since 2010". Today we discuss your work ensuring full GDPR compliance by embedding data protection clauses into vendor agreements. Rahul, you specifically integrated clauses on data minimization, breach notification, and more. Why is this so critical?  Rahul: Thank you, Neha. A vivid example is the CNIL case in France against Dedalus Biologie in 2022. Dedalus, a software vendor, was fined €1.5 million because it had no GDPR-compliant Data Processing Agreements (DPAs) with its laboratory clients following a data breach. The contracts lacked the clauses required by GDPR Article 28 on data minimization, security, and breach reporting. This shows regulators penalize companies that fail to flow down GDPR obligations to vendors.  Neha: Fascinating – this underscores that proactive contract drafting isn’t just a formality, but existential risk prevention. Another precedent would be the British Airways fine by the UK ICO in 2018, correct?  Rahul: Exactly. The ICO not only criticized BA's response to the breach but also noted BA had insufficient security safeguards in vendor arrangements. This contributed to the £20 million fine. Both cases prove: Embedding GDPR clauses in contracts is essential to avoid liability – not mere formalism.  Neha: Let’s delve into a specific case study you analyzed. You mentioned "TechCo", a US tech company expanding into the EU?  Rahul: Correct. TechCo engaged a cloud service provider without a proper DPA. When a breach occurred on the vendor’s servers, contractual clauses requiring prompt notification were absent. TechCo learned of the breach too late to meet GDPR’s 72-hour notification deadline (Article 33). An EU regulator consequently fined TechCo for violations of GDPR Articles 28 and 33.  Neha: And this is where your approach comes in: Had you acted as Counsel for TechCo, would your standard breach notification and minimization clauses have taken effect?  Rahul: Exactly. The vendor would have been contractually obligated to inform TechCo immediately and implement strict data protections. This would likely have prevented the delayed notification – and possibly even the breach itself. Subsequently, TechCo could have demonstrated to regulators that it had taken appropriate contractual measures, potentially reducing liability.  Neha: So robust contracts function both as a "sword" to steer vendor behavior and a "shield" to document compliance efforts?  Rahul: Precisely summarized. This personal case study I conducted in my free time illustrates this dual purpose.  Neha: Which legal frameworks and authorities are key here?  Rahul: Primarily the GDPR (EU) – especially Article 28 mandating processing agreements with specific clauses, and Articles 33-34 on notification duties. Enforcement is by national Data Protection Authorities like CNIL, ICO, or Italy’s Garante, which sanctioned a company in 2023 for lacking a DPA with a call center vendor. The European Data Protection Board (EDPB) issues guidance, such as EDPB Guideline 07/2020 stressing both controllers and processors must ensure a contract exists.  Neha: And in the US?  Rahul: While no direct GDPR equivalent exists there, sectoral laws like HIPAA for health data require similar agreements – "Business Associate Agreements". The "data minimization" principle originates from GDPR Article 5(1)(c), breach notification from Article 33. The US Federal Trade Commission (FTC) can also act if lacking vendor safeguards cause consumer harm, as seen in an action against a mortgage analytics company. My work ensures vendors are contractually bound to uphold these principles and report incidents.  Neha: A thorough overview – thank you, Rahul! Next episode: IT contract design in the cloud era. Until then! ** Read German text here: https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?usp=sharing

NOW PLAYING

German Podcast Episode #214: Rahuls Schlüsselerfolge als Senior IT Counsel seit 2010

0:00 7:50

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Flottengeflüster ALD Automotive Österreich | LeasePlan Beim Flottengeflüster powered by ALD Automotive | LeasePlan präsentieren Jörg Janik und Peter Gutenbrunner alle zwei Wochen spannende Informationen rund um das Thema nachhaltige Mobilität. Beide beschäftigen sich schon lange mit der Thematik und bringen umfangreiches Fachwissen mit. Sollten sie aber doch einmal nicht weiter wissen, werden unsere Expert*innen hinzugezogen, die ihnen gerne mit Rat und Tat zur Seite stehen. Denn sie wissen was sie wandern Manuel Andrack Alles über Premiumwanderwege, die schönsten Wege in Deutschland. Sensationelle Outdoor-Erlebnisse auf 750 Premiumwegen. Moderiert von Manuel Andrack (Sidekick der Harald Schmidt Show) und Klaus Erber (Vorsitzender des Deutschen Wanderinstituts.) Lebe deine Wahrheit Larissa Geiges Was heißt es eigentlich die eigene Wahrheit zu leben? Und wie finde ich sie überhaupt?Für mich bedeutet es, die ehrlichste Version von mir selbst zu sein. All die Masken abnehmen, mit denen wir durch unser Leben gehen, den Menschen zu leben, der man im Kern ist.Wir dürfen immer entscheiden welchen Weg wir gehen. Den Eigenen oder den, den andere für uns gewählt haben. In diesem Podcast nehme ich dich mit auf meine Reise und wünsche mir, dass du viele wertvolle Impulse für dich und deinen Weg mitnehmen kannst. Ich teile mit dir welche Schritte ich auf dem Weg zu meiner Wahrheit gegangen bin und welche Prozesse ich auch heute noch durchlaufe. Ich teile meine Struggles und Ängste mit dir und meine Erkenntnise aus all den Phasen, durch die ich noch gehe und schon gegangen bin.Ich freue mich sehr, wenn du Teil hiervon bist und ich dich auf deinem Weg zu deiner ganz eigenen Wahrheit ein Stück begleiten darf.Alles Liebe für dich,deine Larissa 21 Millionen - Die Bitcoin Akademie Marco Eberle Bist Du bereit für Deine Bitcoin-Reise? Wir stehen vielleicht am Anfang einer finanziellen Revolution, und Bitcoin ist erst am Start seiner Reise.Hast Du Dich jemals gefragt, was hinter Bitcoin steckt und wie Du ein Teil dieser aufstrebenden Zukunft werden kannst? Hier bist Du genau am richtigen Ort!

Frequently Asked Questions

How long is this episode of Deutsch lernen mit „Unser Leben und unsere Erinnerungen“ auf Deutsch?

This episode is 7 minutes long.

When was this Deutsch lernen mit „Unser Leben und unsere Erinnerungen“ auf Deutsch episode published?

This episode was published on August 2, 2025.

What is this episode about?

Neha: Welcome to the first episode of our miniseries "Rahul's Key Achievements as Senior IT Counsel since 2010". Today we discuss your work ensuring full GDPR compliance by embedding data protection clauses into vendor agreements. Rahul, you...

Can I download this Deutsch lernen mit „Unser Leben und unsere Erinnerungen“ auf Deutsch episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!