The European Data Protection Board is consulting on its Guidelines on the concepts of controller and processor in the GDPR until 19 October 2020.  They are long and detailed and only likely to be read by those with a serious interest in the GDPR. I thought I would highlight what I found to be a very interesting paragraph (107) in relation to data processing agreements which may be included in a service provider’s standard terms and conditions.

‘The fact that the contract and its detailed terms of business are prepared by the service provider rather
than by the controller is not in itself problematic and is not in itself a sufficient basis to conclude that
the service provider should be considered as a controller. Also, the imbalance in the contractual power
of a small data controller with respect to big service providers should not be considered as a
justification for the controller to accept clauses and terms of contracts which are not in compliance
with data protection law, nor can it discharge the controller from its data protection obligations. The
controller must evaluate the terms and in so far as it freely accepts them and makes use of the service,
it has also accepted full responsibility for compliance with the GDPR. Any proposed modification, by a
processor, of data processing agreements included in standard terms and conditions should be directly
notified to and approved by the controller. The mere publication of these modifications on the
processor’s website is not compliant with Article 28.’

In short, a small controller cannot use its poor bargaining position as an excuse for poor GDPR compliance but large processors cannot abuse their bargaining position by simply dictating terms.