We are a small- sized processing company based in Switzerland, using suppliers/co-processors in the EU. I am going through the GDPR for DPO's training and want to quickly check my understanding. Am I right to assume that for EU suppliers we do not need a change of contract (relating to data transfer), whereas if we had suppliers from the US for example, we would need to formalize data transfer in form of a contract?
If your suppliers are within EU/EEA there is no need for any safeguards regarding transfers so, no Data Transfer Agreement is needed between controllers and processor that are in the EU/EEA.
However, the Data Processing Agreement which is the legal binding document establishing the obligations of the processors may need to be changed as there are certain requirements that are new and not covered by the current Data Protection Directive. In terms of processor obligations you might find useful the following article on our website : “EU GDPR Controller vs. Processor – What are the differences” https://advisera.com/eugd pracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/.