<div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://www.iotevolutionworld.com/iot/articles/440315-guidelines-gdpr-compliance-third-party-contracts.htm">https://www.iotevolutionworld.com/iot/articles/440315-guidelines-gdpr-compliance-third-party-contracts.htm</a><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div><div dir="ltr"><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">The last few years have demonstrated that personal data is not merely one of the most valuable assets for IT companies but can also be an object of misuse. Examples of misuse vary from users’ data sale without informing them to data breaches due to lack of protection measures. All such cases have led to the rise of the strict national regulations in many countries. Privacy does matter, and not only for natural persons but for every company that operates with personal data.<br></p><div class="gmail-small-sidebar-ad" style="margin:0px 16.5781px 0px 0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);float:left;width:111.969px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"></div><span style="color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px;background-color:rgba(255,255,255,0.95)"> </span><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"></p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Complying with personal data protection requirements is vital since it helps build the company’s goodwill in relationships both with clients and partners. On the other hand, major data protection violations may lead to the company’s responsibility. This includes imposing fines (up to 4% of the total turnover) or even suspension of activities that concern the personal data use by the competent government body.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><br>The recent European legislation, which regulates flow of the personal data of EU residents, is REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 April 2016 (General Data Protection Regulation). Among the requirements regarding the collection, use, and protection of the personal data in business activities, the European Regulation imposes restrictions on sharing collected data with third parties, whether for own purposes or for third party’s benefit.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Almost every contract concerns some amount of personal data. For example, a contract may contain officer’s contact information, a company is going to share the collected e-mail addresses for obtaining e-mail marketing services or sell the collected data for third party’s own marketing. Depends on the purpose, amount, and nature of the concerned data, GDPR requirements will vary. The common condition for the personal data transfer, however, will be an appropriate documenting of this fact.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Taking a few simple steps will help the company fulfill its obligations in contracts with third parties and mitigate risks regarding third parties’ data misuse.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">First, you must decide if the potential contract involves personal information. What falls under the definition of personal information?</strong></p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Personal data under the GDPR is deemed as any information that is relevant to a particular natural person and is linked or can be linked to this person by the personal identifiers.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">These personal identifiers can be a person's name, identification code, address of residence, data about (including geodata and some kinds of IP-addresses) or specific features of a person (genetic information, physical parameters, economic, cultural or social identity).</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Any data, collected about a natural person and connected with personal identifiers (or that can be connected), will be considered as a personal.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">For example, employee profile, contact information, customer database, information about user’s activity on a website, financial activity and so on. As long as this information is connected or can be connected either to a person's name, his location or other information from the list above, it is going to be personal data.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">However, the potential contract doesn’t have to meet the data protection requirements if it involves a transfer of aggregated statistical information, which will not allow to distinguish the information about a separate natural person from it.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Therefore, if the contract deals with any of the abovementioned information, and this information is identifiable, it is important to comply with personal data protection legislation.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Second, define whether the use of personal data falls under the jurisdiction of the European Union.</strong></p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">The European data protection legislation so far has one of the broadest territorial scopes. The GDPR will apply to the potential contract if one of the following is relevant:</p><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">One of the contracting parties is established inside the European Union. At this point, the mere fact that the legal entity is registered under the laws of the EU country will not be sufficient. The office, which makes the decision regarding the contract and personal data transfer, must be in fact located in one of the EU countries; or</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">The involved personal information was collected because of the offering of goods and services to the EU citizens (or other people, who permanently live in the EU) or the intentional monitoring of the EU citizens information. The offering or monitoring as a trigger for the collection are the core conditions. That means that the unintentional collection of the personal information about EU citizens will not fall under the EU jurisdiction.</li></ul><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Third, determine the role of the company in the personal data exchange.</strong></p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">The next and the most important step in the EU data protection compliance is understanding the company’s role in the data exchange. The scope and nature of the obligations will depend on the company’s intentions regarding the concerned personal information.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">There are two roles for each party in the contract: controller and processor. However, these roles are not conflicting – e.g. both parties can be personal data controllers. Generally speaking:</p><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">The Controller</strong> determines its own purposes for the personal data use, whether it is marketing, training the artificial intelligence or for statistical purposes.</li></ul><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">The company will be a controller of the personal data if:</p><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style:lower-alpha;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)">It provides the data to the contracting party, whether for the third party own purposes or to process the data on the company’s behalf (e.g. to the payroll company); and</li><li style="margin:12px 0px 0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)">It obtains personal information to use it for the company’s own purposes (e.g. for its own marketing) or upon its own request (e.g. to register employees of the contracting party for the company’s event).</li></ol><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">The Processor </strong>uses obtained data on behalf of the controller and only for the controller’s purposes.</li></ul><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">The company is going to be a processor if it obtains the data to process it on the contracting party’s behalf (e.g. data storage, e-mail distribution, marketing analysis);</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">There might be a myth that the software developer company will be a data processor for any company, which uses its software for the data processing. However, it’s not. In such case, the processing software is deemed to be a tool for processing. The company, which uses this tool for the data, will be either a controller or processor.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Based on this classification, all data relationships in agreements can be divided into three groups:</p><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Controller-Processor relationships</strong> – the type of the agreements where the controller determines scope, nature, and purposes of the processing. The controller provides data to the processor and he processes the data on the controller’s behalf. The most common controller-processor relationships are payment services, cloud storage, and email newsletters’ distribution;</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Controller-Controller relationships </strong>– this means that each contracting party has its own purposes in the data exchange. If the company sells its customers data to third parties, this is a controller-controller agreement, since each party processes the data on its own behalf; and</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Mixed relationships </strong>– in many cases, the parties’ roles are mixed. That means that the contracting party can be a controller for one type of data (or purpose) and a processor for another data under the same agreement. In such case, it is vital to determine the exact role of the company in each separate data transfer. E.g. A company shares its data with the analytics service provider for the analytics services, and the provider may use the data for its own marketing or research purposes. The provider will be a processor in providing analytics services, while a controller for its own marketing/research.</li></ul><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Although the classifications seem to only complicate things, this will help to be certain about the company’s rights and obligations regarding the transferred data. Nevertheless, the GDPR requirements vary depending on the role of the company.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Finally, the GDPR requirements themselves. What must be met when the company concludes the contract?</strong></p><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">The lawful basis for the transfer</strong></li></ol><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Before sharing the collected personal data, the company should ensure it has a legal basis for the transfer. Did the data subject allowed the transfer of his/her data to third parties?</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">A consent is not the only legal basis, however. GDPR requires one of the six lawful bases to make any operation with the data. These are:</p><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Subject’s specific consent</strong> to do so – this one is required in data sell agreements or in any transfer that is not covered by the other bases;</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Processing (transfer) is necessary for the performance of a contract</strong> with the data subject – this one is suitable for the controller-processor relationships and does not require additional consent;</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Legitimate interest of the company</strong> – fairly the trickiest basis. The data transfer under the legitimate interest can only be deemed if the data subject can really expect such transfer;</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Processing (transfer) is necessary for company’s legal obligations</strong>;</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Processing (transfer) is necessary for protection of the subject’s vital interests</strong>; and</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Public interest or competent authority’s request</strong>.</li></ul><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Data protection agreements</strong></li></ol><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Although it is not obvious, the appropriate documentation of data transfers is vital for any data controller. For example, data protection agreements will be a subject of examination for a supervisory authority, if it starts an investigation of the company. During the investigation any data protection authority examines each contract of a company with third parties that process the collected personal data, not only company’s Privacy Policy or other internal documentation.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">The data protection cannot be documented as just another boilerplate clauses in arrangements between parties. Rather, it must be separate and specific agreements (or addendums to the principal agreement).</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">If the company or the contracting party is a processor, there must be a Data Processing Agreement (controller-processor agreement), which stipulates purposes, obligations, secure processing, and other conditions for the data processing (mentioned the below paragraphs).</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">If the company and the contracting party both are controllers, there must be a Data Protection Agreement (controller-controller agreement).</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">If there is a transfer of personal information to the non-EU (EEA) country (no matter on which side), “standard contract clauses” agreement must be concluded, to ensure the safety of the data outside the EU. This agreement ensures that the GDPR requirements are going to be relevant regardless of the national legislation.</p><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Data protection clauses</strong></li></ol><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">If the amount of the personal information will be limited only to the requisites in the contract or it is uncertain how much data are going to be involved, the contract must stipulate the security of the information, ensure the purpose limitation and compliance to other requirements that are mentioned below. As an alternative, these requirements can be mentioned in the Non-Disclosure Agreement.</p><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Data security and confidentiality</strong></li></ol><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Both controllers and processors must ensure the secure storing and processing of the information, which include:</p><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">If appropriate and possible, storing of the personal data separately from other data;</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">Appropriate technical measures such as pseudonymization, encryption, use of security certificates (SSL) and secure communication protocols (HTTPS), if appropriate; and</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">Limited access to the obtained personal data. Only authorized persons and only in purposes of the agreement must have access to the data. In case the company provides the data to the processor, processor’s employees (or other persons authorized to process on his behalf) shall be under an appropriate statutory obligation of confidentiality.</li></ul><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">A person responsible for the personal data</strong></li></ol><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Both controllers and processors must mention in the contract a special person on each side, who can be addressed for any issues regarding the personal data. This person must control the use, security, deletion, and rectification of the personal data.</p><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Purpose limitation</strong></li></ol><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">The purposes of the personal data use must be clearly set out in the agreement:</p><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">If the company is a processor under the contract, it must use the personal information on behalf of the contracting party and only for purposes that are mentioned in the contract, on documented instructions of the controller only; and</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">If the company is a controller, it must use the data only for those own purposes that were specified in the contract.</li></ul><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Deletion, return and rectification</strong></li></ol><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Some data subjects can request the controller to delete or correct the information about him/her. If this information was transferred during the agreement, both controllers and processors must delete, return or rectify the data which they are processing. Also, the personal data must be deleted after it is no longer necessary for the purposes of the contract. However, the legal obligations to keep the personal information can be an exception to these rules.</p><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Cooperation and assistance</strong></li></ol><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Another important issue to stipulate in agreement between the parties is assistance of processor or controller receiving the data in data controller obligations. The question of cooperation and assistance divides in two groups of obligations:</p><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Data subject requests</strong>. Who is going to answer the inquiries? The parties can decide to process requests jointly or put this obligation on the main (only) controller. Nevertheless, the receiving party and all involved third parties shall be bound to assist the data controller with the data subject requests; and </li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Supervisory authority inspections</strong>. It is reasonable to document the obligation of receiving party to inform the data controller should any inspection come. In such case, the contracting parties, as well as all engaged third parties shall cooperate and jointly provide full necessary information regarding the contracting processing activities, including the data protection/processing agreements themselves.  </li></ul><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Transfer to the third parties and third countries</strong></li></ol><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Both controllers and processors cannot transfer the personal data to the third parties or to the third countries unless otherwise specified in the contract or the company has obtained a consent from the disclosing party. Anyway, all third parties that receive the data shall uphold the same level of obligations the contracting parties have regarding the concerned information.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Furthermore, the company shall have appropriate safeguards to transfer the data to the third country. One of such safeguards was mentioned in paragraph 1 – this is a Standard contract clauses document. The appropriate safeguards for the transfer within the corporate group are the internal binding corporate rules or the code of conduct. See more about the international data transfer in <a href="https://gdpr-info.eu/chapter-5/" style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;color:rgb(157,11,13);text-decoration-line:none">Chapter 5 of the GDPR</a>.</p><ol style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;line-height:24px;font-size:16px;color:rgb(68,68,68)"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent"> Data breach notification</strong></li></ol><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">If the company is a processor: the company must inform the contracting party about the personal data breach within 24 hours from the moment it becomes aware of it;</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">If the company is a controller and the contracting party is a processor: the company must be informed by the processor about the personal data breach on the processor’s side without undue delay AND the company must inform the supervisory authority of the relevant EU country within 72 hours from the moment it becomes aware of it. In case that the data breach carries risks to the rights of the data subjects, the company must also inform data subjects; and</li></ul><ul style="margin:0px 0px 15px;padding:3px 0px 2px 20px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);list-style-position:initial;font-size:1.15em;color:rgb(51,51,51);font-family:"Open Sans",sans-serif"><li style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent;color:rgb(68,68,68);line-height:28.98px;list-style-position:inside">If both the company and the contracting party are controllers: the parties must inform each other about the personal data breach on its side within 24 hours from the moment the party becomes aware of it AND must inform the supervisory authority of the relevant EU country within 72 hours. In case that the data breach carries risks to the rights of the data subjects, the breached party must also inform data subjects.</li></ul><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px"><strong style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:top;background:transparent">Why the Regulation matters.</strong></p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Obeying the aforementioned requirements pursues, at least, two goals. First, in case of supervisory authority’s inspection, the relationships with third parties will be one of the main subjects. A proper data transfer documenting shows that company is aware of data control importance and handles its obligations before the data subjects seriously. Second, it will ensure the company treat its data subjects correctly and is able to handle all the requests from them. Therefore, it is going to add an additional point to the company goodwill, mitigating risk that the supervisory authority will receive a complaint about its data sharing activities.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">GDPR requirements might look like a new bureaucratic threshold for doing business in the European Union. Frankly speaking, they do create a threshold. To start a new project, a company has to implement the data protection by design principle, strict security requirements, accept a plenty of internal documents, and always keep an eye on the collected data safety.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">However, we live in the information society, where all such safeguards are vital to create a robust data-driven market. Furthermore, it is necessary to give back a control over the personal data to the data subjects. If the majority of the businesses has an opportunity to gain from the data of its clients, it doesn’t mean they are allowed to abuse it. The personal data, as well as any business asset, carry risks along with benefits, although the society is yet to understand it.</p><p style="margin:0px 0px 15px;padding:0px;border:0px;outline:0px;vertical-align:top;background:rgba(255,255,255,0.95);line-height:25.2px;color:rgb(51,51,51);font-family:"Open Sans",sans-serif;font-size:16.8px">Sooner or later, a strict regulation in this area is likely to occur in every country. The acceptance of the California Consumer Privacy Act 2018 and the Brazil Personal Data Protection Law are good examples in this regard. The ultimate purpose of such laws is to protect the privacy right of individuals and ensure free and lawful data flow through the market. And the best way to face the new order is to accept it as the new important rules of the game rather than the new obstacles to benefit from technologies.</p><br class="gmail-Apple-interchange-newline"></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>