As more and more states enact laws that mirror aspects of GDPR, and as companies begin to get used to the EU’s new standard contractual clauses, now may be a good opportunity for a refresh on data sharing agreements. As most in the privacy space are well aware, the laws in many states -and countries- call for certain oversight in these situations. And many require specific content to be included in contracts. What might you want to include in your contract roadmap?
First, assess what law(s) are in scope. This depends not only on where the parties are located and doing business, but also where those individuals whose information is being processed are located as well. The EU requires specific clauses to protect its member states’ citizens under GDPR. California, Colorado, Connecticut, Utah, and Virginia have similar provisions (with other states coming into effect).
Second, understand the parties’ relationship. Will they be deciding jointly how to use the information (“joint controllers”)? Will both be making independent decisions (“controller-to-controller”)? Will one party be telling the other what to do (“controller-processor”)?
Joint controllers, controller-processor, or independent controllers to use EU terms. But before selecting terms, make sure you understand who is doing what with the information. Next, make sure to include the right provisions. We have laid out below a summary of considerations for three circumstances: (1) joint controllers; (2) independent controllers; and (3) controller-to-processor. Included below are both things contemplated under the various laws, as well as practical considerations to cover when contracting in these situations.
Joint Controllers and Independent Controllers:
- Think through and outline in the contract what each parties’ role will be in processing information. Who is responsible for what? How will rights requests be processed?
- For contracts that involve transfer of data from the EU to non-EU locations, ensure that there are the appropriate mechanisms in place for that transfer. That might include additional provisions around security in the agreement.
- Address length of processing, obligations relating to use of information, and provisions for data security and confidentiality.
- Think through mechanisms for notice and other steps to take in the event of a data breach.
- The parties can be or will be providing services to the other party such that it might trigger other obligations (for example being a “service provider” “processor” or “third party”). As applicable, have the correct provisions from the next section been included and have the parties’ roles and obligations otherwise been thought through.
Controller-Processor:
- Include clear instructions for what is processed and how. Include the purpose of processing and the type of information being processed. Also indicate how long information will be processed and the parties’ specific obligations with respect to use of the information. Include in those obligations around data security and confidentiality.
- For contracts that involve transfer of data from the EU to non-EU locations (or outside of the UK or Switzerland), ensure that there are the appropriate mechanisms in place for that transfer. That might include additional provisions around security in the agreement.
- Make sure that the processor helps the controller comply with legal obligations. This includes assistance in responding to rights requests.
- Think through mechanisms for notice and other steps to take in the event of a data breach.
- Have the processor provide proof of compliance on reasonable request. Also address audits (whether conducted by the controller or an independent third party).
- Ensure that any subcontractors follow the requirements set out in the contract with the processor. Consider whether you want to approve each subcontractor in writing or allow for general authorization of subcontractors through the contract.
- When the contract ends, have the processor return or destroy information.
Putting it into Practice: When putting together a data processing agreement with a third party, think not just about the legal obligations under GDPR and the growing list of state laws- but also the practical. What content can be included to best protect the parties? Now is a perfect time for a DPA refresh.
Listen to this post here.