[BreachExchange] Guidelines for GDPR Compliance in Third-Party Contracts
Inga Goddijn
inga at riskbasedsecurity.com
Fri Nov 23 10:00:20 EST 2018
https://www.iotevolutionworld.com/iot/articles/440315-guidelines-gdpr-compliance-third-party-contracts.htm
The last few years have demonstrated that personal data is not merely one
of the most valuable assets for IT companies but can also be an object of
misuse. Examples of misuse vary from users’ data sale without informing
them to data breaches due to lack of protection measures. All such cases
have led to the rise of the strict national regulations in many countries.
Privacy does matter, and not only for natural persons but for every company
that operates with personal data.
Complying with personal data protection requirements is vital since it
helps build the company’s goodwill in relationships both with clients and
partners. On the other hand, major data protection violations may lead to
the company’s responsibility. This includes imposing fines (up to 4% of the
total turnover) or even suspension of activities that concern the personal
data use by the competent government body.
The recent European legislation, which regulates flow of the personal data
of EU residents, is REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND
OF THE COUNCIL OF 27 April 2016 (General Data Protection Regulation). Among
the requirements regarding the collection, use, and protection of the
personal data in business activities, the European Regulation imposes
restrictions on sharing collected data with third parties, whether for own
purposes or for third party’s benefit.
Almost every contract concerns some amount of personal data. For example, a
contract may contain officer’s contact information, a company is going to
share the collected e-mail addresses for obtaining e-mail marketing
services or sell the collected data for third party’s own marketing.
Depends on the purpose, amount, and nature of the concerned data, GDPR
requirements will vary. The common condition for the personal data
transfer, however, will be an appropriate documenting of this fact.
Taking a few simple steps will help the company fulfill its obligations in
contracts with third parties and mitigate risks regarding third parties’
data misuse.
*First, you must decide if the potential contract involves personal
information. What falls under the definition of personal information?*
Personal data under the GDPR is deemed as any information that is relevant
to a particular natural person and is linked or can be linked to this
person by the personal identifiers.
These personal identifiers can be a person's name, identification code,
address of residence, data about (including geodata and some kinds of
IP-addresses) or specific features of a person (genetic information,
physical parameters, economic, cultural or social identity).
Any data, collected about a natural person and connected with personal
identifiers (or that can be connected), will be considered as a personal.
For example, employee profile, contact information, customer database,
information about user’s activity on a website, financial activity and so
on. As long as this information is connected or can be connected either to
a person's name, his location or other information from the list above, it
is going to be personal data.
However, the potential contract doesn’t have to meet the data protection
requirements if it involves a transfer of aggregated statistical
information, which will not allow to distinguish the information about a
separate natural person from it.
Therefore, if the contract deals with any of the abovementioned
information, and this information is identifiable, it is important to
comply with personal data protection legislation.
*Second, define whether the use of personal data falls under the
jurisdiction of the European Union.*
The European data protection legislation so far has one of the broadest
territorial scopes. The GDPR will apply to the potential contract if one of
the following is relevant:
- One of the contracting parties is established inside the European
Union. At this point, the mere fact that the legal entity is registered
under the laws of the EU country will not be sufficient. The office, which
makes the decision regarding the contract and personal data transfer, must
be in fact located in one of the EU countries; or
- The involved personal information was collected because of the
offering of goods and services to the EU citizens (or other people, who
permanently live in the EU) or the intentional monitoring of the EU
citizens information. The offering or monitoring as a trigger for the
collection are the core conditions. That means that the unintentional
collection of the personal information about EU citizens will not fall
under the EU jurisdiction.
*Third, determine the role of the company in the personal data exchange.*
The next and the most important step in the EU data protection compliance
is understanding the company’s role in the data exchange. The scope and
nature of the obligations will depend on the company’s intentions regarding
the concerned personal information.
There are two roles for each party in the contract: controller and
processor. However, these roles are not conflicting – e.g. both parties can
be personal data controllers. Generally speaking:
- *The Controller* determines its own purposes for the personal data
use, whether it is marketing, training the artificial intelligence or for
statistical purposes.
The company will be a controller of the personal data if:
1. It provides the data to the contracting party, whether for the third
party own purposes or to process the data on the company’s behalf (e.g. to
the payroll company); and
2. It obtains personal information to use it for the company’s own
purposes (e.g. for its own marketing) or upon its own request (e.g. to
register employees of the contracting party for the company’s event).
- *The Processor *uses obtained data on behalf of the controller and
only for the controller’s purposes.
The company is going to be a processor if it obtains the data to process it
on the contracting party’s behalf (e.g. data storage, e-mail distribution,
marketing analysis);
There might be a myth that the software developer company will be a data
processor for any company, which uses its software for the data processing.
However, it’s not. In such case, the processing software is deemed to be a
tool for processing. The company, which uses this tool for the data, will
be either a controller or processor.
Based on this classification, all data relationships in agreements can be
divided into three groups:
- *Controller-Processor relationships* – the type of the agreements
where the controller determines scope, nature, and purposes of the
processing. The controller provides data to the processor and he processes
the data on the controller’s behalf. The most common controller-processor
relationships are payment services, cloud storage, and email newsletters’
distribution;
- *Controller-Controller relationships *– this means that each
contracting party has its own purposes in the data exchange. If the company
sells its customers data to third parties, this is a controller-controller
agreement, since each party processes the data on its own behalf; and
- *Mixed relationships *– in many cases, the parties’ roles are mixed.
That means that the contracting party can be a controller for one type of
data (or purpose) and a processor for another data under the same
agreement. In such case, it is vital to determine the exact role of the
company in each separate data transfer. E.g. A company shares its data with
the analytics service provider for the analytics services, and the provider
may use the data for its own marketing or research purposes. The provider
will be a processor in providing analytics services, while a controller for
its own marketing/research.
Although the classifications seem to only complicate things, this will help
to be certain about the company’s rights and obligations regarding the
transferred data. Nevertheless, the GDPR requirements vary depending on the
role of the company.
*Finally, the GDPR requirements themselves. What must be met when the
company concludes the contract?*
1. *The lawful basis for the transfer*
Before sharing the collected personal data, the company should ensure it
has a legal basis for the transfer. Did the data subject allowed the
transfer of his/her data to third parties?
A consent is not the only legal basis, however. GDPR requires one of the
six lawful bases to make any operation with the data. These are:
- *Subject’s specific consent* to do so – this one is required in data
sell agreements or in any transfer that is not covered by the other bases;
- *Processing (transfer) is necessary for the performance of a
contract* with
the data subject – this one is suitable for the controller-processor
relationships and does not require additional consent;
- *Legitimate interest of the company* – fairly the trickiest basis. The
data transfer under the legitimate interest can only be deemed if the data
subject can really expect such transfer;
- *Processing (transfer) is necessary for company’s legal obligations*;
- *Processing (transfer) is necessary for protection of the subject’s
vital interests*; and
- *Public interest or competent authority’s request*.
1. *Data protection agreements*
Although it is not obvious, the appropriate documentation of data transfers
is vital for any data controller. For example, data protection agreements
will be a subject of examination for a supervisory authority, if it starts
an investigation of the company. During the investigation any data
protection authority examines each contract of a company with third parties
that process the collected personal data, not only company’s Privacy Policy
or other internal documentation.
The data protection cannot be documented as just another boilerplate
clauses in arrangements between parties. Rather, it must be separate and
specific agreements (or addendums to the principal agreement).
If the company or the contracting party is a processor, there must be a
Data Processing Agreement (controller-processor agreement), which
stipulates purposes, obligations, secure processing, and other conditions
for the data processing (mentioned the below paragraphs).
If the company and the contracting party both are controllers, there must
be a Data Protection Agreement (controller-controller agreement).
If there is a transfer of personal information to the non-EU (EEA) country
(no matter on which side), “standard contract clauses” agreement must be
concluded, to ensure the safety of the data outside the EU. This agreement
ensures that the GDPR requirements are going to be relevant regardless of
the national legislation.
1. *Data protection clauses*
If the amount of the personal information will be limited only to the
requisites in the contract or it is uncertain how much data are going to be
involved, the contract must stipulate the security of the information,
ensure the purpose limitation and compliance to other requirements that are
mentioned below. As an alternative, these requirements can be mentioned in
the Non-Disclosure Agreement.
1. *Data security and confidentiality*
Both controllers and processors must ensure the secure storing and
processing of the information, which include:
- If appropriate and possible, storing of the personal data separately
from other data;
- Appropriate technical measures such as pseudonymization, encryption,
use of security certificates (SSL) and secure communication protocols
(HTTPS), if appropriate; and
- Limited access to the obtained personal data. Only authorized persons
and only in purposes of the agreement must have access to the data. In case
the company provides the data to the processor, processor’s employees (or
other persons authorized to process on his behalf) shall be under an
appropriate statutory obligation of confidentiality.
1. *A person responsible for the personal data*
Both controllers and processors must mention in the contract a special
person on each side, who can be addressed for any issues regarding the
personal data. This person must control the use, security, deletion, and
rectification of the personal data.
1. *Purpose limitation*
The purposes of the personal data use must be clearly set out in the
agreement:
- If the company is a processor under the contract, it must use the
personal information on behalf of the contracting party and only for
purposes that are mentioned in the contract, on documented instructions of
the controller only; and
- If the company is a controller, it must use the data only for those
own purposes that were specified in the contract.
1. *Deletion, return and rectification*
Some data subjects can request the controller to delete or correct the
information about him/her. If this information was transferred during the
agreement, both controllers and processors must delete, return or rectify
the data which they are processing. Also, the personal data must be deleted
after it is no longer necessary for the purposes of the contract. However,
the legal obligations to keep the personal information can be an exception
to these rules.
1. *Cooperation and assistance*
Another important issue to stipulate in agreement between the parties is
assistance of processor or controller receiving the data in data controller
obligations. The question of cooperation and assistance divides in two
groups of obligations:
- *Data subject requests*. Who is going to answer the inquiries? The
parties can decide to process requests jointly or put this obligation on
the main (only) controller. Nevertheless, the receiving party and all
involved third parties shall be bound to assist the data controller with
the data subject requests; and
- *Supervisory authority inspections*. It is reasonable to document the
obligation of receiving party to inform the data controller should any
inspection come. In such case, the contracting parties, as well as all
engaged third parties shall cooperate and jointly provide full necessary
information regarding the contracting processing activities, including the
data protection/processing agreements themselves.
1. *Transfer to the third parties and third countries*
Both controllers and processors cannot transfer the personal data to the
third parties or to the third countries unless otherwise specified in the
contract or the company has obtained a consent from the disclosing party.
Anyway, all third parties that receive the data shall uphold the same level
of obligations the contracting parties have regarding the concerned
information.
Furthermore, the company shall have appropriate safeguards to transfer the
data to the third country. One of such safeguards was mentioned in
paragraph 1 – this is a Standard contract clauses document. The appropriate
safeguards for the transfer within the corporate group are the internal
binding corporate rules or the code of conduct. See more about the
international data transfer in Chapter 5 of the GDPR
<https://gdpr-info.eu/chapter-5/>.
1. * Data breach notification*
- If the company is a processor: the company must inform the contracting
party about the personal data breach within 24 hours from the moment it
becomes aware of it;
- If the company is a controller and the contracting party is a
processor: the company must be informed by the processor about the personal
data breach on the processor’s side without undue delay AND the company
must inform the supervisory authority of the relevant EU country within 72
hours from the moment it becomes aware of it. In case that the data breach
carries risks to the rights of the data subjects, the company must also
inform data subjects; and
- If both the company and the contracting party are controllers: the
parties must inform each other about the personal data breach on its side
within 24 hours from the moment the party becomes aware of it AND must
inform the supervisory authority of the relevant EU country within 72
hours. In case that the data breach carries risks to the rights of the data
subjects, the breached party must also inform data subjects.
*Why the Regulation matters.*
Obeying the aforementioned requirements pursues, at least, two goals.
First, in case of supervisory authority’s inspection, the relationships
with third parties will be one of the main subjects. A proper data transfer
documenting shows that company is aware of data control importance and
handles its obligations before the data subjects seriously. Second, it will
ensure the company treat its data subjects correctly and is able to handle
all the requests from them. Therefore, it is going to add an additional
point to the company goodwill, mitigating risk that the supervisory
authority will receive a complaint about its data sharing activities.
GDPR requirements might look like a new bureaucratic threshold for doing
business in the European Union. Frankly speaking, they do create a
threshold. To start a new project, a company has to implement the data
protection by design principle, strict security requirements, accept a
plenty of internal documents, and always keep an eye on the collected data
safety.
However, we live in the information society, where all such safeguards are
vital to create a robust data-driven market. Furthermore, it is necessary
to give back a control over the personal data to the data subjects. If the
majority of the businesses has an opportunity to gain from the data of its
clients, it doesn’t mean they are allowed to abuse it. The personal data,
as well as any business asset, carry risks along with benefits, although
the society is yet to understand it.
Sooner or later, a strict regulation in this area is likely to occur in
every country. The acceptance of the California Consumer Privacy Act 2018
and the Brazil Personal Data Protection Law are good examples in this
regard. The ultimate purpose of such laws is to protect the privacy right
of individuals and ensure free and lawful data flow through the market. And
the best way to face the new order is to accept it as the new important
rules of the game rather than the new obstacles to benefit from
technologies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181123/26860b5d/attachment.html>
More information about the BreachExchange
mailing list