DPA 101: Do You Know Where Your Data Is?
Wednesday, February 28, 2024
Protecting Your Data With DPA
Print Mail Download i

As more and more states enact laws that mirror aspects of GDPR, and as companies begin to get used to the EU’s new standard contractual clauses, now may be a good opportunity for a refresh on data sharing agreements. As most in the privacy space are well aware, the laws in many states -and countries- call for certain oversight in these situations. And many require specific content to be included in contracts. What might you want to include in your contract roadmap?

First, assess what law(s) are in scope. This depends not only on where the parties are located and doing business, but also where those individuals whose information is being processed are located as well. The EU requires specific clauses to protect its member states’ citizens under GDPR. CaliforniaColoradoConnecticutUtah, and Virginia have similar provisions (with other states coming into effect). 

Second, understand the parties’ relationship. Will they be deciding jointly how to use the information (“joint controllers”)? Will both be making independent decisions (“controller-to-controller”)? Will one party be telling the other what to do (“controller-processor”)?

Joint controllers, controller-processor, or independent controllers to use EU terms. But before selecting terms, make sure you understand who is doing what with the information. Next, make sure to include the right provisions. We have laid out below a summary of considerations for three circumstances: (1) joint controllers; (2) independent controllers; and (3) controller-to-processor. Included below are both things contemplated under the various laws, as well as practical considerations to cover when contracting in these situations.

Joint Controllers and Independent Controllers:

  • Think through and outline in the contract what each parties’ role will be in processing information. Who is responsible for what? How will rights requests be processed?
  • For contracts that involve transfer of data from the EU to non-EU locations, ensure that there are the appropriate mechanisms in place for that transfer. That might include additional provisions around security in the agreement.
  • Address length of processing, obligations relating to use of information, and provisions for data security and confidentiality.
  • Think through mechanisms for notice and other steps to take in the event of a data breach.
  • The parties can be or will be providing services to the other party such that it might trigger other obligations (for example being a “service provider” “processor” or “third party”). As applicable, have the correct provisions from the next section been included and have the parties’ roles and obligations otherwise been thought through.

Controller-Processor:

  • Include clear instructions for what is processed and how. Include the purpose of processing and the type of information being processed. Also indicate how long information will be processed and the parties’ specific obligations with respect to use of the information. Include in those obligations around data security and confidentiality.
  • For contracts that involve transfer of data from the EU to non-EU locations (or outside of the UK or Switzerland), ensure that there are the appropriate mechanisms in place for that transfer. That might include additional provisions around security in the agreement.
  • Make sure that the processor helps the controller comply with legal obligations. This includes assistance in responding to rights requests. 
  • Think through mechanisms for notice and other steps to take in the event of a data breach.
  • Have the processor provide proof of compliance on reasonable request. Also address audits (whether conducted by the controller or an independent third party).
  • Ensure that any subcontractors follow the requirements set out in the contract with the processor. Consider whether you want to approve each subcontractor in writing or allow for general authorization of subcontractors through the contract.
  • When the contract ends, have the processor return or destroy information.

Putting it into Practice: When putting together a data processing agreement with a third party, think not just about the legal obligations under GDPR and the growing list of state laws- but also the practical. What content can be included to best protect the parties? Now is a perfect time for a DPA refresh.

Listen to this post here

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

CFPB Announces Update in Continued War on Mortgage Servicing Junk Fees
by: A.J. S. Dhaliwal , Mehul N. Madia
Kansas Enacts Earned Wages Access Law
by: A.J. S. Dhaliwal , Mehul N. Madia
New York Broadly Revises Hospital Financial Assistance, Medical Debt Collection and Related Requirements
by: Carmen Jule
Utah’s New AI Disclosure Requirements Effective May 1
by: Liisa M. Thomas , Kathryn Smith
The CPPA Signals Focus on Data Minimization and Consumer Requests
by: Brittany Walter
Nebraska Fourth State to Enact Privacy Law in 2024
by: Liisa M. Thomas , Kathryn Smith
Solving for Physician Burnout: Creating a Culture of Psychological Safety
by: Kathleen M. O'Neill , Samantha Young
CMS Finalizes Federal Minimum Staffing Standards for Nursing Homes
by: Lourdes Martinez , Gregory R. Smith
New Program Under Biden Executive Order to Prevent Access to American’s Sensitive Personal Data by Foreign Actors
by: Townsend L. Bourne , Jordan Mallory
FTC Votes to Ban Noncompete Agreements
by: John D. Carroll , Leo Caseria

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins