SlideShare a Scribd company logo

Controller-to-processor agreements

Download as PPTX, PDF
T
Tommy Vandepitte

The document elaborates on the roles and responsibilities of data controllers and processors as defined under GDPR, highlighting the importance of agreements to ensure compliance with data protection laws. It details the obligations of both parties, including security measures and the use of subprocessors, as well as the necessary documentation to support data processing activities. Additionally, it discusses the complexity in varying roles, ensuring obligations are met while facilitating data flows in compliance with relevant legal frameworks.

Law
1 of 58
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Controller-to-Processor Agreements Tommy Vandepitte
PLAYERS ON THE BOARD
Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller  Antagonist of controller
Controller A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data  Siderule: Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law  Next to (explicit or implicit) legal competence to “determine”, factual influence, predictability and visibility (to the data subjects) play a role  Determination of the purpose is most important, “essential” means follow
“Clear” cases Processor • Marketing campaign service provider (paper, email, text) • Payroll service provider • Call center • Service provider performing selection tests and reporting back results • Service provider that custom built an IT solution and hosts it afterwards • IaaS service provider • PaaS service provider • Telecom service provider for the content of the messages • Saas service provider (when not in the situation of a monopoly?) Controller • Payment Employer (for HR data) • Corporation (for shareholder data) • Association (for member data) • Bank (for AML, investment profile, ...) • Service provider (for AML, transaction data) • Insurance company (for acceptance and claims handling) • Social networks using (some of) the data for advertising • Search engines using (some of) the data for advertising • Data broker • Straff recruitment agencies (for the pool of potential recruits) • Building owner installing security cameras independent of lessees
Harder cases • Possibility of combination of roles ! – Bank or Insurance Broker (AML, advice of the customer, transit of data in both acceptance and claims process) – Data broker both performing data enrichment (delivering “enriching” data and performing the enrichment on its platform) • (Semi)monopolistic processor • Processor that (over the years) has locked in the controller
Harder cases • Interim worker services providers / consultancy firms bodyshopping “experts” (e.g. Randstad, Adecco,...) • Meal voucher service provider (e.g. Sodexho, Monizze,...)
Sources • Article 29 Working Party – Opinion 1/2010 on the concepts of “controller” and “processor”, WP 169, 16 February 2010 – Opinion 5/2009 on online social networking, WP163, 12 June 2009 – Opinion 10/2006 on the processing of personal data by SWIFT, WP128, 22 November 2006 • Brendan Van Alsenoy, Regulating Data Protection, PhD Thesis KULeuven, 2016, 610 p.
PLAYER’S ACTIONS
Processor’s to dos • Own obligations – Warning controller (“sanity check”) – art. 28 §3 – DPO – art. 37 GDPR – Processing register – art. 30 GDPR – Security – art. 29 and 32 GDPR – Data breach notification to controller – art. 33 §2 – Subprocessor(s) (selection, C’s approval, chain of obligations, liability) – art. 28 §2, §3 d and §4 – Agreement with controller(s) – art. 28 §3
Controller’s to dos (wrt processors) • Selection – art. 28 §1 – At start: • RFP • Asks the right questions (and proof) in selection process – General questions / “google” – Questionnaires – Assurance – In flight: prioritise for assessment of agreement and follow-up • priority to processors, then access to systems or premises • priority to special categories of data, large numbers of data subjects, large number of data, transfer outside of EU, ... • assess if mere instructions would be sufficient • Agreement – art. 28 §3
THE AGREEMENT
Exception of art. 28 §3 • Other legal act under Union or Member State law – that is binding on the processor with regard to the controller – that sets out the same as the agreement • the subject-matter and duration of the processing • the nature and purpose of the processing • the type of personal data and categories of data subjects • the obligations and rights of the controller – and contains the same stipulations as the agreement • Examples ? – Statutes generally do not meet the criteria
Paperwork • New agreement: no (in general) – If there is an agreement in place that met article 17 GDPD (art. 16 Belgian Data Protection Act,...) then instructions to fill the gaps could suffice – Otherwise: amendment / schedule • One schedule per type of processing / service delivery contract ? – No, a “frame schedule” is possible and preferable, even if for contract management purposes it can be signed in more copies to be able to add a copy to each agreement • Future – Data protection is just another item in the overall agreement
Paper-work • In writing – On paper – Digital • Sign on papier, scan and upload • Sign with qualified digital signature and upload • Complete online in online platform – via unique link : e.g. http://peppered.proposable.com/ – after unique login: e.g. https://loreal.service-now.com/
Controller-to-processor agreements
Controller-to-processor agreements
Controller-to-processor agreements
C2P Agreement 1. Describe processing 2. Obligations and rights of the controller 3. Instructions 4. Staff 5. Security 6. Subprocessors 7. Assistance 1. wrt data subjects’ rights 2. wrt security, data breach and DPIAs 8. End (destroy and/or return) 9. Proof (incl. audit)
Ref. C2P SCC 2010 Variation of the contract The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Qualification? • Obligation – Not really • Reality – Often requested in the core of the agreement – Parties explicitly named controller and processor • Suggestion – In the preamble at best, giving context and the reason why an agreement is concluded that meets article 28 • What in case of disagreement? – also put it in the preamble and that the agreement is a compromise (e.g. between C2C and C2P)
Definitions? • Obligation – Not really • Reality – Often requested in the core of the agreement • Suggestion – In the preamble at best, refer that any terms defined in the GDPR will be construed in line therewith • What in case of disagreement? – also put it in the preamble and that the agreement is a compromise (e.g. between C2C and C2P)
Ref. C2P SCC 2010 For the purposes of the Clauses: (a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; (b) 'the data exporter' means the controller who transfers the personal data; (c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; (d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract; (e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established; (f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.
Description of the data processing • Obligation: set out – the subject-matter and duration of the processing – the nature and purpose of the processing – the type of personal data and categories of data subjects • Reality – Reference to the “main agreement”  not clear enough – Reference to a schedule  not prefilled, discussion on the level of detail • Suggestion – Reference to the controller’s part of the processing register that has to be completed by the processor anyway – Data map of the data processing (e.g. swimming lanes)
Ref. C2P SCC 2010 Details of the transfer The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses. Appendix 1 This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix. Data exporter The data exporter is (please specify briefly your activities relevant to the transfer): … Data importer The data importer is (please specify briefly activities relevant to the transfer): … Data subjects The personal data transferred concern the following categories of data subjects (please specify): … Categories of data The personal data transferred concern the following categories of data (please specify): … Special categories of data (if appropriate) The personal data transferred concern the following special categories of data (please specify): … Processing operations The personal data transferred will be subject to the following basic processing activities (please specify): …
Obligations and rights of the controller • Obligation – Set out the obligations and rights of the controller • Reality – Processor ask for reps and warranties by the controller on compliance with the law • Suggestion – 100% compliance is impossible. Suffice with championing / striving to compliance. – Assess the different reps and warranties. If feasible (the risk should logically be with the controller and is under the control of the controller), accept them and/or make them reciprocal (where such is a valid request).
Ref. C2P SCC 2010 The data exporter agrees and warrants: (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State; (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses; (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
Ref. C2P SCC 2010 - cont’d (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation; (e) that it will ensure compliance with the security measures; (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; (g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension; (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information; (i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and (j) that it will ensure compliance with Clause 4(a) to (i).
Instructions • Obligation – The processor processes the personal data only on documented instructions from the controller, inclduing with regard to transfers of personal data to a thrid country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important ground of public interest • Reality – Limitation of instructions due to the setup of the processor – Instructions are handled like “change requests” which require feasibility assessment, throughput time and extra cost • Suggestion – Include the wording as in the law, also refer to art. 29 – Clarify that unreasonable obstructions endanger qualification
Ref. C2P SCC 2010 The data importer agrees and warrants: (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; (d) that it will promptly notify the data exporter about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
What if the instruction is (possibly) contrary to the law? • Duty – Inform – Not: stop the business • Liability – Explicity refer it back to the controller
Example information letter We have received your instruction dd. (date) to (brief recap of the instruction). In our opinion this instruction is contrary to the GDPR, more particularly article (relevant articles and/or recitals). Therefore we kindly refuse to execute that instruction. We are open to any argument you may have as to how the instruction is in line with the GDPR. In any case, and especially should you force us to execute the instruction, we will consider such further instruction to include a waiver of any liability on our part and a commitment to – if necessary – to hold us harmless should we suffer any damages (including any reputational damage for us) as a consequence of execution on your instruction. We hope you understand that we had to bring this to your attention in writing and with this level of gravity, as we consider informing you of our opinion our duty under artikel 28 §3 in fine GDPR.
Staff • Obligation – The processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality • Reality – art. 29 has direct effect – controllers also want “purpose bound” and “integrity” – controllers want organisational measures and proof • Suggestion – Include the wording as in the law, also refer to art. 29
Security • Obligation – The processor takes all measures required pursuant to article 32. • Reality – Controllers want minimum technical and organisational measures (especially if that is considered essential e.g. for health data, financial data,...) and assurance. • Suggestion – Include references to the industry standard and internal policies, as the case may be, launch them as instructions. – In an RFP, make them part of the selection process. – Strive for certification (e.g. ISO27000, ...)
Ref. C2P SCC 2010 The data importer agrees and warrants: (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred; Appendix 2 Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached): …
Subprocessors • Obligation – The processor respects the conditions referred to in art. 28 §2 and §4 for engaging other processors. • Reality – Art. 28 §2 and §4 apply directly. – Processors aim for general authorisations and short veto cycles; controllers want more control. – Processor may be hampered in is business when a subprocessor is vetoed. • Suggestion – Controller: assess the risk and organise the relationship management (and information to DPO) in case of notification. – Avoid larger risks: prohibit extra EU transfers, transfer of high risk data, large volumes of data without specific prior approval. – In case of abuse, escalate internally, protect towards the processor, and notify DPA.
Ref. C2P SCC 2010 The data importer agrees and warrants: (h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent; (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11; (j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Ref. C2P SCC 2010 – cont’d Subprocessing 1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement. 2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses. 3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely (…) 4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority. This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.
Assistance (1) • Obligation – The processor, taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to request for exercising the data subject’s rights (chapter III). • Reality – The processor wants to be paid for his help, whereas the controller needs to answer (in principle) without charging a cost. – Often processor systems are not privacy-by-design (do not allow for data export, data protability, data deletion, ...). • Suggestion – Include the wording as in the law – Establish a reasonable cost / fee. Establish that if the answer cannot (timely) be given due to the processor, no cost/fee is paid and the liability thereof is on the processor. – Design a roadmap to become privacy-by-design, where the cost should be spread over all (GDPR subject) customers.
Ref. C2P SCC 2010 The data importer agrees and warrants: (d) that it will promptly notify the data exporter about: (...) (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
Assistance (2) • Obligation – The processor assists the controller in ensuring compliance with the obligation pursuant to article 32 (security) taking into account the nature of the processing and the information available to the processor. • Reality – The processor does not want to commit to the unknown and wants to be paid for any efforts. – The controller wants to ensure his perimeter is secure. • Suggestion – Include the wording as in the law – Set up a process / relationship management on information security and data protection e.g. In the foreseen monthly / quarterly / monthly meetings.
Assistance (3) • Obligation – The processor assists the controller in ensuring compliance with the obligation pursuant to article 33-34 (data breach notification / communication) taking into account the nature of the processing and the information available to the processor. • Reality – Processors ask that data leaks on the controller side are notified to them. – Processors want to be sure that mere notification does not constitute proof of any breach of duty on their part. – Processors want to be paid for any effort. – Processors do not want to notify data breaches that are not relevant for the controller. – Controllers want to be sure of collaboration in such cases of crisis. – Controllers want the processor to take up responsability / liability if the data breach is the processor’s fault. • Suggestion – Include the wording as in the law, possible reference to 33 §2 – Limit the scope of notifications to those that are relevant (but be aware of incidents that may have collateral damage, like instrusion in the network, malfunction of virtual servers, etc. for which periodic statistic reporting may be a prudent approach ) – Include ISOs and DPOs in the relationship management – Perform data breach exercises with the critical processors (against no or a reasonable fee)
Ref. C2P SCC 2010 The data importer agrees and warrants: (d) that it will promptly notify the data exporter about: (...) (ii) any accidental or unauthorised access, and (…)
Assistance (4) • Obligation – The processor assists the controller in ensuring compliance with the obligation pursuant to article 35-36 (DPIA/prior checking) taking into account the nature of the processing and the information available to the processor. • Reality – The processor wants to be paid for any extra efforts. – Acts of the processor may trigger a DPIA (e.g. the tranfser outside of the EU) – The controller when performing a DPIA helps the processor in his duty to have a processing register and setting up adequate security measures. • Suggestion – Include the wording as in the law – Perform the DPIA as part of the documentation of the agreement
Duration ? • Obligation – Not really • Reality – Parties tend to define the duration of the agreement as equal to the main agreement. • Suggestion – Define the duration of the agreement as equal to the main agreement, with the clarification that the indicated clauses or clauses that by their nature survive, continue resorting effect.
End • Obligation – The processor at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies, unless Union or Member State law requires storage of the personal data. • Reality – Processor has an issue with immediate deletion, e.g. in case of potential liability claim later. – Processor asks for a fee for the return of the data. – What if the processor does not actually delete? • Suggestion – Include the wording as in the law – Agree on retention period for the duration of a potential claim. As the case may be, provide a specific statute of limitation, relief from claim, and/or cooperation on proof in case of a(n externally triggered) disputed. – Insert the obligation to provide written assurance of deletion within x days.
Ref. C2P SCC 2010 Obligation after the termination of personal data processing services 1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore. 2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Proof • Obligation – The processor makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. • Reality – Processor does not want to provide “blanket” access for an audit. – Processor wants to be paid for the time and other costs related to the audit. – Controller should pay for the audit, even it if shows that the processors is not performing as he should. • Suggestion – Include the wording as in the law – The processor can / should at regular times provide for written assurance which he can provide to all or multiple customers (e.g. ISAE 3402 SOC 2 type II). – Foresee for “lighter” assurance for non-critical processors, e.g. questionnaires. – Audit will be paid by the controller, unless the audit finds (important) shortcomings, in which case the audit should be paid by the processor, as well as the remediation of such (important) shortcomings.
Ref. C2P SCC 2010 The data importer agrees and warrants: (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; (f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
Ref. C2P SCC 2010 – cont’d Cooperation with supervisory authorities 1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law. 2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law. 3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Liability? • Obligation – Not really • Reality – processor wants no or capped liability, cap often being a factor of the value of the contract / earnings on the contract (e.g. 100% of last year’s paid service fees) – judicial remedy (79), liability to DS (82), fines (83) – ISPs: rec. 21 and article 2 §4  art. 12-15 Dir. 2000/31 • No liability for content transmitted or hosted • Suggestion – though one, what about coexistence of contractual and tort law liability ?
Ref. C2P SCC 2010 Liability 1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered. 2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities. 3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Pay extra? • Obligation – Not really • Reality – Processors want to be paid for all or some additional actions • Suggestion – No extra pay for own obligations – Limited extra pay for extra services that are spread over different customers – Reasonable extra pay for extra services IF not caused by law or processor lack of diligence (e.g. upgrade in security that was long due, audit cost + remediation of flaws found during audit, ...)
Applicable law? • Obligation – Not really, EU countries (from a data protection perspective) considered equivalent (see e.g. art. 32) • Reality – processor often wants own law and jurisdiction (even within the EU) • Suggestion – distinction between data processing and remainder of the agreement (cf. standard contractual clauses)
Ref. C2P SCC 2010 Governing Law The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely (…)
Jurisdiction? • Obligation – Not really • Reality – Processor wants own, national courts • Suggestion – Insert an escalation process (RM, C-level, BoD-level) – Use arbitration with specialists in DP, relevant technology and relevant sector – Leave it up to the supplementary rules of international private law
Ref. C2P SCC 2010 Mediation and jurisdiction 1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
What if parties cannot agree? • Obligation – Obligation to have such an agreement in place • Reality – Disagreement on qualification – Disagreement on “prescribed” clauses (subprocessors, ...) – Disagreeent on “non-prescribed” clauses (liability,. applicable law,..) • Suggestion – Qualification: letter that there is no need for an agreement – Agreement on the agreed topics with the conclusion that the other elements will be further negotiated (immediately or as soon as more clarity if provided by the DPAs)

More Related Content

PDF
Nota Sejarah Tingkatan 3
Uvarajan Malayan Prince
 
PPTX
Bab 3 Konflik Dunia dan Pendudukan Jepun di Negara Kita.pptx
MEGANYEOHTZEXUANMoe
 
PPTX
Zaman penjajahan
Fitri117
 
PDF
Nota Padat Sejarah SPM (Ting 4&5)
Asia Pacific University of Technology & Innovation (APU)
 
PPT
3G (Gold,Glory,God)
Ain Dynaz
 
PPT
Bab 3 f4
Faridah Hanum
 
DOCX
Inersia
Rukiah Abdullah
 
PPS
Physics form 5 chapter 1
University Science Penang
 
Nota Sejarah Tingkatan 3
Uvarajan Malayan Prince
 
Bab 3 Konflik Dunia dan Pendudukan Jepun di Negara Kita.pptx
MEGANYEOHTZEXUANMoe
 
Zaman penjajahan
Fitri117
 
Nota Padat Sejarah SPM (Ting 4&5)
Asia Pacific University of Technology & Innovation (APU)
 
3G (Gold,Glory,God)
Ain Dynaz
 
Bab 3 f4
Faridah Hanum
 
Inersia
Rukiah Abdullah
 
Physics form 5 chapter 1
University Science Penang
 

What's hot (20)

PPTX
BAB 3 - Kerajaan Awal Di Asia Tenggara
Redwan Haris
 
PPTX
Sejarah 1.5 INSTITUSI KHALIFAH
Ismi Hawa Ahmad
 
PDF
Bab-4- Pensejarahan-berbentuk-undang-undang
firo HAR
 
PPT
Bab 5 Kegemilangan Melaka (Ting 1)
Zahari Rusdi
 
PDF
Biologi topik 3 t4 pergerakan bahan merentasi membran plasma
JANGAN TENGOK
 
DOCX
Refleksi kemahiran kepimpinan dan kerja berpasukan
nuraida95
 
PPS
12.graf gerakan
Atiqah Azmi
 
PDF
Stpm latihan topikal penggal 1
Mohd sayuti Deraman
 
DOCX
Mathematics form 3-chapter 9 & 10 Scale Drawing + Transformation II © By Kelvin
KelvinSmart2
 
PPTX
Latihan kecemasan
cikgunor9
 
PPTX
20120323170318 kuliah 2 sistem kerajaan awal asia tenggara
Tatulrich Tatul
 
PPTX
Kesimpulan
Hamizan Md
 
PPTX
Perniagaan & persekitaran stpm sem 1
Norazul89
 
PDF
sejarah-memanah (1).pdf
KasihLatifah1
 
DOCX
Contoh tajuk speaking test pt3 bahasa inggeris
Umagowrie Supramaniam
 
PDF
Spm sejarah kertas 1 2012
norziana78
 
PPS
Bab 1 pendudukan jepun di negara kita
rubiah ali
 
DOCX
Refomasi pentadbiran awam
emzeka1987
 
PPT
ilmu ketamadunan (TITAS)
Haslinda Jamaluddin
 
DOCX
KERAJAAN KEDAH TUA DAN BERUAS
Santa Barbara
 
BAB 3 - Kerajaan Awal Di Asia Tenggara
Redwan Haris
 
Sejarah 1.5 INSTITUSI KHALIFAH
Ismi Hawa Ahmad
 
Bab-4- Pensejarahan-berbentuk-undang-undang
firo HAR
 
Bab 5 Kegemilangan Melaka (Ting 1)
Zahari Rusdi
 
Biologi topik 3 t4 pergerakan bahan merentasi membran plasma
JANGAN TENGOK
 
Refleksi kemahiran kepimpinan dan kerja berpasukan
nuraida95
 
12.graf gerakan
Atiqah Azmi
 
Stpm latihan topikal penggal 1
Mohd sayuti Deraman
 
Mathematics form 3-chapter 9 & 10 Scale Drawing + Transformation II © By Kelvin
KelvinSmart2
 
Latihan kecemasan
cikgunor9
 
20120323170318 kuliah 2 sistem kerajaan awal asia tenggara
Tatulrich Tatul
 
Kesimpulan
Hamizan Md
 
Perniagaan & persekitaran stpm sem 1
Norazul89
 
sejarah-memanah (1).pdf
KasihLatifah1
 
Contoh tajuk speaking test pt3 bahasa inggeris
Umagowrie Supramaniam
 
Spm sejarah kertas 1 2012
norziana78
 
Bab 1 pendudukan jepun di negara kita
rubiah ali
 
Refomasi pentadbiran awam
emzeka1987
 
ilmu ketamadunan (TITAS)
Haslinda Jamaluddin
 
KERAJAAN KEDAH TUA DAN BERUAS
Santa Barbara
 
Ad

Similar to Controller-to-processor agreements (20)

PDF
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
NETWAYS
 
PPTX
2015-0318 GAC Presentation - BCR - 05052015
Jan Dhont
 
PDF
TrustArc Webinar - Mastering Privacy Contracting: Key Clauses, Risks & Negoti...
TrustArc
 
PPTX
250220 blockchain gdpr_blockchain_hillemann_presentation
DennisHillemann
 
PDF
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
PPTX
Legal Challenges in Contracting for Cloud Services
Lou Milrad
 
PPTX
Misa cloud computing workshop lhm final
Lou Milrad
 
PPTX
The GDPR’s impact on your business and preparing for compliance
IT Governance Ltd
 
PPTX
EU General Data Protection Regulation - Update 2017
Cliff Ashcroft
 
PDF
GDPR: Requirements for Cloud Providers
IT Governance Ltd
 
PPTX
SLALOM Webinar Final Legal Outcomes Explanined "Using the SLALOM Contract Ser...
Oliver Barreto Rodríguez
 
PDF
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
PDF
20180305 the dayafter_bavovdh_cranium_dpo_pro
Koenraad FLAMANT
 
PDF
EU GDPR and you: requirements for marketing
IT Governance Ltd
 
PDF
Data Processing Agreement - Hetzner
DOTCOMIT PRO SRL
 
PDF
Case by case - moving data centres to Romania
Țuca Zbârcea & Asociații
 
PDF
GDPR and Blockchain
Salman Baset
 
PPTX
Trust in the Cloud: Legal and Regulatory Framework
Francoise Gilbert
 
PPTX
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
PDF
EU Data Protection Regulation Skyhigh Networks
Alberto Peñaranda Echevarría
 
OSDC 2012 | Data Protection, Software Licences and other Legal Issues in the ...
NETWAYS
 
2015-0318 GAC Presentation - BCR - 05052015
Jan Dhont
 
TrustArc Webinar - Mastering Privacy Contracting: Key Clauses, Risks & Negoti...
TrustArc
 
250220 blockchain gdpr_blockchain_hillemann_presentation
DennisHillemann
 
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
Legal Challenges in Contracting for Cloud Services
Lou Milrad
 
Misa cloud computing workshop lhm final
Lou Milrad
 
The GDPR’s impact on your business and preparing for compliance
IT Governance Ltd
 
EU General Data Protection Regulation - Update 2017
Cliff Ashcroft
 
GDPR: Requirements for Cloud Providers
IT Governance Ltd
 
SLALOM Webinar Final Legal Outcomes Explanined "Using the SLALOM Contract Ser...
Oliver Barreto Rodríguez
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
20180305 the dayafter_bavovdh_cranium_dpo_pro
Koenraad FLAMANT
 
EU GDPR and you: requirements for marketing
IT Governance Ltd
 
Data Processing Agreement - Hetzner
DOTCOMIT PRO SRL
 
Case by case - moving data centres to Romania
Țuca Zbârcea & Asociații
 
GDPR and Blockchain
Salman Baset
 
Trust in the Cloud: Legal and Regulatory Framework
Francoise Gilbert
 
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
EU Data Protection Regulation Skyhigh Networks
Alberto Peñaranda Echevarría
 
Ad

More from Tommy Vandepitte (20)

DOCX
DPIA template
Tommy Vandepitte
 
DOCX
Gegevensbescherming-clausule in (overheids)opdracht
Tommy Vandepitte
 
PPTX
20190131 - Presentation Q&A on legislation's influence (on travel management)
Tommy Vandepitte
 
PPTX
GDPR toegepast op huur-verhuur (Dutch)
Tommy Vandepitte
 
PPTX
Gegevensbescherming makelaars
Tommy Vandepitte
 
PPTX
EEAS - Cultivate your data protection
Tommy Vandepitte
 
PPTX
Presentation for the LSEC GDPR event - 20171130
Tommy Vandepitte
 
PPTX
Training privacy by design
Tommy Vandepitte
 
PPTX
GDPR voor steden en gemeenten (Dutch)
Tommy Vandepitte
 
PPTX
GDPR project board deck (example)
Tommy Vandepitte
 
PPTX
IS/DPP for staff #8 - Monitoring
Tommy Vandepitte
 
PPTX
IS/DPP for staff #7 - Incidents
Tommy Vandepitte
 
PPTX
IS/DPP for staff #6 - Acceptable use
Tommy Vandepitte
 
PPTX
IS/DPP for staff #5b - Passwords
Tommy Vandepitte
 
PPTX
IS/DPP for staff #5a - Access
Tommy Vandepitte
 
PPTX
IS/DPP for staff #3b - Data Classification
Tommy Vandepitte
 
PPTX
IS/DPP for staff #3a - Data
Tommy Vandepitte
 
PPTX
IS/DPP for staff #2 - Why?
Tommy Vandepitte
 
PPTX
IS/DPP for staff #1 - intro
Tommy Vandepitte
 
PPTX
Training Procurement
Tommy Vandepitte
 
DPIA template
Tommy Vandepitte
 
Gegevensbescherming-clausule in (overheids)opdracht
Tommy Vandepitte
 
20190131 - Presentation Q&A on legislation's influence (on travel management)
Tommy Vandepitte
 
GDPR toegepast op huur-verhuur (Dutch)
Tommy Vandepitte
 
Gegevensbescherming makelaars
Tommy Vandepitte
 
EEAS - Cultivate your data protection
Tommy Vandepitte
 
Presentation for the LSEC GDPR event - 20171130
Tommy Vandepitte
 
Training privacy by design
Tommy Vandepitte
 
GDPR voor steden en gemeenten (Dutch)
Tommy Vandepitte
 
GDPR project board deck (example)
Tommy Vandepitte
 
IS/DPP for staff #8 - Monitoring
Tommy Vandepitte
 
IS/DPP for staff #7 - Incidents
Tommy Vandepitte
 
IS/DPP for staff #6 - Acceptable use
Tommy Vandepitte
 
IS/DPP for staff #5b - Passwords
Tommy Vandepitte
 
IS/DPP for staff #5a - Access
Tommy Vandepitte
 
IS/DPP for staff #3b - Data Classification
Tommy Vandepitte
 
IS/DPP for staff #3a - Data
Tommy Vandepitte
 
IS/DPP for staff #2 - Why?
Tommy Vandepitte
 
IS/DPP for staff #1 - intro
Tommy Vandepitte
 
Training Procurement
Tommy Vandepitte
 

Recently uploaded (20)

PPTX
ART OF LEGAL WRITING IN THE CBD [Autosaved].pptx
PmVelez
 
PDF
Louisiana Bar Foundation 2023-2024 Annual Report
LexArchive
 
PPTX
Lecture Notes on Family Law - Knowledge Area 5
Frimpong Eric
 
PPT
Over view on IPR and its components :ppt
jyotsnarani13
 
PDF
Nancy Gorby Sucessor Trustee Invoice.pdf
VOLUNTÁRIA CAUSA SOCIAL
 
PDF
Plausibility - A Review of the English and EPO cases
Jane Lambert
 
PPTX
Digital Security in Cyber Law and Mitigating Cyberxrimes
Shibly Ahamed
 
PDF
OpenAi v. Open AI Summary Judgment Order
Mike Keyes
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PDF
Constitution of India and fundamental rights pdf
abiramianitha2509
 
PPT
Criminal law and civil law under of collage corriculum
HerobrinediamondPane1
 
PDF
APPELLANT'S AMENDED BRIEF – DPW ENTERPRISES LLC & MOUNTAIN PRIME 2018 LLC v. ...
Jeremy Bass
 
PDF
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
PPT
Cyber-Crime-in- India at Present day and Laws
rajmohanjangid
 
PDF
AHRP LB - Quick Look of the Newly-initiated Koperasi Merah Putih (KMP).pdf
AHRP Law Firm
 
PPTX
RULE_4_Out_of_Court_or_Informal_Restructuring_Agreement_or_Rehabilitation.pptx
sherileeneva3
 
PPTX
UDHR & OTHER INTERNATIONAL CONVENTIONS.pptx
legumleviosa
 
PDF
Trademark, Copyright, and Trade Secret Protection for Med Tech Startups.pdf
Ortynska Law PLLC
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PPT
wipo: IP _smes_kul_06_www_6899913 (1).ppt
jyotsnarani13
 
ART OF LEGAL WRITING IN THE CBD [Autosaved].pptx
PmVelez
 
Louisiana Bar Foundation 2023-2024 Annual Report
LexArchive
 
Lecture Notes on Family Law - Knowledge Area 5
Frimpong Eric
 
Over view on IPR and its components :ppt
jyotsnarani13
 
Nancy Gorby Sucessor Trustee Invoice.pdf
VOLUNTÁRIA CAUSA SOCIAL
 
Plausibility - A Review of the English and EPO cases
Jane Lambert
 
Digital Security in Cyber Law and Mitigating Cyberxrimes
Shibly Ahamed
 
OpenAi v. Open AI Summary Judgment Order
Mike Keyes
 
Understanding the Impact of the Cyber Act
dhanesh96
 
Constitution of India and fundamental rights pdf
abiramianitha2509
 
Criminal law and civil law under of collage corriculum
HerobrinediamondPane1
 
APPELLANT'S AMENDED BRIEF – DPW ENTERPRISES LLC & MOUNTAIN PRIME 2018 LLC v. ...
Jeremy Bass
 
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
Cyber-Crime-in- India at Present day and Laws
rajmohanjangid
 
AHRP LB - Quick Look of the Newly-initiated Koperasi Merah Putih (KMP).pdf
AHRP Law Firm
 
RULE_4_Out_of_Court_or_Informal_Restructuring_Agreement_or_Rehabilitation.pptx
sherileeneva3
 
UDHR & OTHER INTERNATIONAL CONVENTIONS.pptx
legumleviosa
 
Trademark, Copyright, and Trade Secret Protection for Med Tech Startups.pdf
Ortynska Law PLLC
 
Understanding the Impact of the Cyber Act
dhanesh96
 
wipo: IP _smes_kul_06_www_6899913 (1).ppt
jyotsnarani13
 

Controller-to-processor agreements

  • 3. Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller  Antagonist of controller
  • 4. Controller A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data  Siderule: Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law  Next to (explicit or implicit) legal competence to “determine”, factual influence, predictability and visibility (to the data subjects) play a role  Determination of the purpose is most important, “essential” means follow
  • 5. “Clear” cases Processor • Marketing campaign service provider (paper, email, text) • Payroll service provider • Call center • Service provider performing selection tests and reporting back results • Service provider that custom built an IT solution and hosts it afterwards • IaaS service provider • PaaS service provider • Telecom service provider for the content of the messages • Saas service provider (when not in the situation of a monopoly?) Controller • Payment Employer (for HR data) • Corporation (for shareholder data) • Association (for member data) • Bank (for AML, investment profile, ...) • Service provider (for AML, transaction data) • Insurance company (for acceptance and claims handling) • Social networks using (some of) the data for advertising • Search engines using (some of) the data for advertising • Data broker • Straff recruitment agencies (for the pool of potential recruits) • Building owner installing security cameras independent of lessees
  • 6. Harder cases • Possibility of combination of roles ! – Bank or Insurance Broker (AML, advice of the customer, transit of data in both acceptance and claims process) – Data broker both performing data enrichment (delivering “enriching” data and performing the enrichment on its platform) • (Semi)monopolistic processor • Processor that (over the years) has locked in the controller
  • 7. Harder cases • Interim worker services providers / consultancy firms bodyshopping “experts” (e.g. Randstad, Adecco,...) • Meal voucher service provider (e.g. Sodexho, Monizze,...)
  • 8. Sources • Article 29 Working Party – Opinion 1/2010 on the concepts of “controller” and “processor”, WP 169, 16 February 2010 – Opinion 5/2009 on online social networking, WP163, 12 June 2009 – Opinion 10/2006 on the processing of personal data by SWIFT, WP128, 22 November 2006 • Brendan Van Alsenoy, Regulating Data Protection, PhD Thesis KULeuven, 2016, 610 p.
  • 10. Processor’s to dos • Own obligations – Warning controller (“sanity check”) – art. 28 §3 – DPO – art. 37 GDPR – Processing register – art. 30 GDPR – Security – art. 29 and 32 GDPR – Data breach notification to controller – art. 33 §2 – Subprocessor(s) (selection, C’s approval, chain of obligations, liability) – art. 28 §2, §3 d and §4 – Agreement with controller(s) – art. 28 §3
  • 11. Controller’s to dos (wrt processors) • Selection – art. 28 §1 – At start: • RFP • Asks the right questions (and proof) in selection process – General questions / “google” – Questionnaires – Assurance – In flight: prioritise for assessment of agreement and follow-up • priority to processors, then access to systems or premises • priority to special categories of data, large numbers of data subjects, large number of data, transfer outside of EU, ... • assess if mere instructions would be sufficient • Agreement – art. 28 §3
  • 13. Exception of art. 28 §3 • Other legal act under Union or Member State law – that is binding on the processor with regard to the controller – that sets out the same as the agreement • the subject-matter and duration of the processing • the nature and purpose of the processing • the type of personal data and categories of data subjects • the obligations and rights of the controller – and contains the same stipulations as the agreement • Examples ? – Statutes generally do not meet the criteria
  • 14. Paperwork • New agreement: no (in general) – If there is an agreement in place that met article 17 GDPD (art. 16 Belgian Data Protection Act,...) then instructions to fill the gaps could suffice – Otherwise: amendment / schedule • One schedule per type of processing / service delivery contract ? – No, a “frame schedule” is possible and preferable, even if for contract management purposes it can be signed in more copies to be able to add a copy to each agreement • Future – Data protection is just another item in the overall agreement
  • 15. Paper-work • In writing – On paper – Digital • Sign on papier, scan and upload • Sign with qualified digital signature and upload • Complete online in online platform – via unique link : e.g. http://peppered.proposable.com/ – after unique login: e.g. https://loreal.service-now.com/
  • 19. C2P Agreement 1. Describe processing 2. Obligations and rights of the controller 3. Instructions 4. Staff 5. Security 6. Subprocessors 7. Assistance 1. wrt data subjects’ rights 2. wrt security, data breach and DPIAs 8. End (destroy and/or return) 9. Proof (incl. audit)
  • 20. Ref. C2P SCC 2010 Variation of the contract The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
  • 21. Qualification? • Obligation – Not really • Reality – Often requested in the core of the agreement – Parties explicitly named controller and processor • Suggestion – In the preamble at best, giving context and the reason why an agreement is concluded that meets article 28 • What in case of disagreement? – also put it in the preamble and that the agreement is a compromise (e.g. between C2C and C2P)
  • 22. Definitions? • Obligation – Not really • Reality – Often requested in the core of the agreement • Suggestion – In the preamble at best, refer that any terms defined in the GDPR will be construed in line therewith • What in case of disagreement? – also put it in the preamble and that the agreement is a compromise (e.g. between C2C and C2P)
  • 23. Ref. C2P SCC 2010 For the purposes of the Clauses: (a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; (b) 'the data exporter' means the controller who transfers the personal data; (c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; (d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract; (e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established; (f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.
  • 24. Description of the data processing • Obligation: set out – the subject-matter and duration of the processing – the nature and purpose of the processing – the type of personal data and categories of data subjects • Reality – Reference to the “main agreement”  not clear enough – Reference to a schedule  not prefilled, discussion on the level of detail • Suggestion – Reference to the controller’s part of the processing register that has to be completed by the processor anyway – Data map of the data processing (e.g. swimming lanes)
  • 25. Ref. C2P SCC 2010 Details of the transfer The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses. Appendix 1 This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix. Data exporter The data exporter is (please specify briefly your activities relevant to the transfer): … Data importer The data importer is (please specify briefly activities relevant to the transfer): … Data subjects The personal data transferred concern the following categories of data subjects (please specify): … Categories of data The personal data transferred concern the following categories of data (please specify): … Special categories of data (if appropriate) The personal data transferred concern the following special categories of data (please specify): … Processing operations The personal data transferred will be subject to the following basic processing activities (please specify): …
  • 26. Obligations and rights of the controller • Obligation – Set out the obligations and rights of the controller • Reality – Processor ask for reps and warranties by the controller on compliance with the law • Suggestion – 100% compliance is impossible. Suffice with championing / striving to compliance. – Assess the different reps and warranties. If feasible (the risk should logically be with the controller and is under the control of the controller), accept them and/or make them reciprocal (where such is a valid request).
  • 27. Ref. C2P SCC 2010 The data exporter agrees and warrants: (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State; (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses; (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  • 28. Ref. C2P SCC 2010 - cont’d (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation; (e) that it will ensure compliance with the security measures; (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; (g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension; (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information; (i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and (j) that it will ensure compliance with Clause 4(a) to (i).
  • 29. Instructions • Obligation – The processor processes the personal data only on documented instructions from the controller, inclduing with regard to transfers of personal data to a thrid country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important ground of public interest • Reality – Limitation of instructions due to the setup of the processor – Instructions are handled like “change requests” which require feasibility assessment, throughput time and extra cost • Suggestion – Include the wording as in the law, also refer to art. 29 – Clarify that unreasonable obstructions endanger qualification
  • 30. Ref. C2P SCC 2010 The data importer agrees and warrants: (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; (d) that it will promptly notify the data exporter about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
  • 31. What if the instruction is (possibly) contrary to the law? • Duty – Inform – Not: stop the business • Liability – Explicity refer it back to the controller
  • 32. Example information letter We have received your instruction dd. (date) to (brief recap of the instruction). In our opinion this instruction is contrary to the GDPR, more particularly article (relevant articles and/or recitals). Therefore we kindly refuse to execute that instruction. We are open to any argument you may have as to how the instruction is in line with the GDPR. In any case, and especially should you force us to execute the instruction, we will consider such further instruction to include a waiver of any liability on our part and a commitment to – if necessary – to hold us harmless should we suffer any damages (including any reputational damage for us) as a consequence of execution on your instruction. We hope you understand that we had to bring this to your attention in writing and with this level of gravity, as we consider informing you of our opinion our duty under artikel 28 §3 in fine GDPR.
  • 33. Staff • Obligation – The processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality • Reality – art. 29 has direct effect – controllers also want “purpose bound” and “integrity” – controllers want organisational measures and proof • Suggestion – Include the wording as in the law, also refer to art. 29
  • 34. Security • Obligation – The processor takes all measures required pursuant to article 32. • Reality – Controllers want minimum technical and organisational measures (especially if that is considered essential e.g. for health data, financial data,...) and assurance. • Suggestion – Include references to the industry standard and internal policies, as the case may be, launch them as instructions. – In an RFP, make them part of the selection process. – Strive for certification (e.g. ISO27000, ...)
  • 35. Ref. C2P SCC 2010 The data importer agrees and warrants: (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred; Appendix 2 Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached): …
  • 36. Subprocessors • Obligation – The processor respects the conditions referred to in art. 28 §2 and §4 for engaging other processors. • Reality – Art. 28 §2 and §4 apply directly. – Processors aim for general authorisations and short veto cycles; controllers want more control. – Processor may be hampered in is business when a subprocessor is vetoed. • Suggestion – Controller: assess the risk and organise the relationship management (and information to DPO) in case of notification. – Avoid larger risks: prohibit extra EU transfers, transfer of high risk data, large volumes of data without specific prior approval. – In case of abuse, escalate internally, protect towards the processor, and notify DPA.
  • 37. Ref. C2P SCC 2010 The data importer agrees and warrants: (h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent; (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11; (j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
  • 38. Ref. C2P SCC 2010 – cont’d Subprocessing 1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement. 2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses. 3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely (…) 4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority. This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.
  • 39. Assistance (1) • Obligation – The processor, taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to request for exercising the data subject’s rights (chapter III). • Reality – The processor wants to be paid for his help, whereas the controller needs to answer (in principle) without charging a cost. – Often processor systems are not privacy-by-design (do not allow for data export, data protability, data deletion, ...). • Suggestion – Include the wording as in the law – Establish a reasonable cost / fee. Establish that if the answer cannot (timely) be given due to the processor, no cost/fee is paid and the liability thereof is on the processor. – Design a roadmap to become privacy-by-design, where the cost should be spread over all (GDPR subject) customers.
  • 40. Ref. C2P SCC 2010 The data importer agrees and warrants: (d) that it will promptly notify the data exporter about: (...) (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
  • 41. Assistance (2) • Obligation – The processor assists the controller in ensuring compliance with the obligation pursuant to article 32 (security) taking into account the nature of the processing and the information available to the processor. • Reality – The processor does not want to commit to the unknown and wants to be paid for any efforts. – The controller wants to ensure his perimeter is secure. • Suggestion – Include the wording as in the law – Set up a process / relationship management on information security and data protection e.g. In the foreseen monthly / quarterly / monthly meetings.
  • 42. Assistance (3) • Obligation – The processor assists the controller in ensuring compliance with the obligation pursuant to article 33-34 (data breach notification / communication) taking into account the nature of the processing and the information available to the processor. • Reality – Processors ask that data leaks on the controller side are notified to them. – Processors want to be sure that mere notification does not constitute proof of any breach of duty on their part. – Processors want to be paid for any effort. – Processors do not want to notify data breaches that are not relevant for the controller. – Controllers want to be sure of collaboration in such cases of crisis. – Controllers want the processor to take up responsability / liability if the data breach is the processor’s fault. • Suggestion – Include the wording as in the law, possible reference to 33 §2 – Limit the scope of notifications to those that are relevant (but be aware of incidents that may have collateral damage, like instrusion in the network, malfunction of virtual servers, etc. for which periodic statistic reporting may be a prudent approach ) – Include ISOs and DPOs in the relationship management – Perform data breach exercises with the critical processors (against no or a reasonable fee)
  • 43. Ref. C2P SCC 2010 The data importer agrees and warrants: (d) that it will promptly notify the data exporter about: (...) (ii) any accidental or unauthorised access, and (…)
  • 44. Assistance (4) • Obligation – The processor assists the controller in ensuring compliance with the obligation pursuant to article 35-36 (DPIA/prior checking) taking into account the nature of the processing and the information available to the processor. • Reality – The processor wants to be paid for any extra efforts. – Acts of the processor may trigger a DPIA (e.g. the tranfser outside of the EU) – The controller when performing a DPIA helps the processor in his duty to have a processing register and setting up adequate security measures. • Suggestion – Include the wording as in the law – Perform the DPIA as part of the documentation of the agreement
  • 45. Duration ? • Obligation – Not really • Reality – Parties tend to define the duration of the agreement as equal to the main agreement. • Suggestion – Define the duration of the agreement as equal to the main agreement, with the clarification that the indicated clauses or clauses that by their nature survive, continue resorting effect.
  • 46. End • Obligation – The processor at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies, unless Union or Member State law requires storage of the personal data. • Reality – Processor has an issue with immediate deletion, e.g. in case of potential liability claim later. – Processor asks for a fee for the return of the data. – What if the processor does not actually delete? • Suggestion – Include the wording as in the law – Agree on retention period for the duration of a potential claim. As the case may be, provide a specific statute of limitation, relief from claim, and/or cooperation on proof in case of a(n externally triggered) disputed. – Insert the obligation to provide written assurance of deletion within x days.
  • 47. Ref. C2P SCC 2010 Obligation after the termination of personal data processing services 1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore. 2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
  • 48. Proof • Obligation – The processor makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. • Reality – Processor does not want to provide “blanket” access for an audit. – Processor wants to be paid for the time and other costs related to the audit. – Controller should pay for the audit, even it if shows that the processors is not performing as he should. • Suggestion – Include the wording as in the law – The processor can / should at regular times provide for written assurance which he can provide to all or multiple customers (e.g. ISAE 3402 SOC 2 type II). – Foresee for “lighter” assurance for non-critical processors, e.g. questionnaires. – Audit will be paid by the controller, unless the audit finds (important) shortcomings, in which case the audit should be paid by the processor, as well as the remediation of such (important) shortcomings.
  • 49. Ref. C2P SCC 2010 The data importer agrees and warrants: (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; (f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • 50. Ref. C2P SCC 2010 – cont’d Cooperation with supervisory authorities 1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law. 2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law. 3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
  • 51. Liability? • Obligation – Not really • Reality – processor wants no or capped liability, cap often being a factor of the value of the contract / earnings on the contract (e.g. 100% of last year’s paid service fees) – judicial remedy (79), liability to DS (82), fines (83) – ISPs: rec. 21 and article 2 §4  art. 12-15 Dir. 2000/31 • No liability for content transmitted or hosted • Suggestion – though one, what about coexistence of contractual and tort law liability ?
  • 52. Ref. C2P SCC 2010 Liability 1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered. 2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities. 3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  • 53. Pay extra? • Obligation – Not really • Reality – Processors want to be paid for all or some additional actions • Suggestion – No extra pay for own obligations – Limited extra pay for extra services that are spread over different customers – Reasonable extra pay for extra services IF not caused by law or processor lack of diligence (e.g. upgrade in security that was long due, audit cost + remediation of flaws found during audit, ...)
  • 54. Applicable law? • Obligation – Not really, EU countries (from a data protection perspective) considered equivalent (see e.g. art. 32) • Reality – processor often wants own law and jurisdiction (even within the EU) • Suggestion – distinction between data processing and remainder of the agreement (cf. standard contractual clauses)
  • 55. Ref. C2P SCC 2010 Governing Law The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely (…)
  • 56. Jurisdiction? • Obligation – Not really • Reality – Processor wants own, national courts • Suggestion – Insert an escalation process (RM, C-level, BoD-level) – Use arbitration with specialists in DP, relevant technology and relevant sector – Leave it up to the supplementary rules of international private law
  • 57. Ref. C2P SCC 2010 Mediation and jurisdiction 1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
  • 58. What if parties cannot agree? • Obligation – Obligation to have such an agreement in place • Reality – Disagreement on qualification – Disagreement on “prescribed” clauses (subprocessors, ...) – Disagreeent on “non-prescribed” clauses (liability,. applicable law,..) • Suggestion – Qualification: letter that there is no need for an agreement – Agreement on the agreed topics with the conclusion that the other elements will be further negotiated (immediately or as soon as more clarity if provided by the DPAs)