Schedule Blocks
Home » Building Blocks » Schedules » Data protection
Data protection
This guide explains the different parts that make up the data protection block.
Introduction
Data protection
A data protection block in tech contracts generally establish how personal data must be handled by the parties to the contract. These blocks are crucial to ensure compliance with various global data protection laws such as the General Data Protection Regulation (GDPR) in the EU, California Consumer Privacy Act (CCPA) in the US, and others.
Data security vs data privacy
While the terms “data security” and “data privacy” are sometimes used interchangeably, they refer to distinct but related concepts:
Data Security refers to the measures in place to prevent unauthorized access to databases and computerized systems. It focuses on protecting data from breaches, leaks, or hacks, which might be conducted with harmful intent or might occur unintentionally. Data security technologies and strategies aim to ensure that data remains confidential, maintains its integrity, and is available when authorized users need access (these three elements are often referred to as the CIA triad: Confidentiality, Integrity, Availability).
Data Privacy is about how data is collected, stored, processed, and shared while respecting individual privacy rights. It involves ensuring that personal data is collected and used only in ways that are consistent with the individual’s informed consent and applicable laws. Privacy also covers aspects like data anonymization and minimal data collection to protect individuals’ identities even when data is used for legitimate purposes.
–
In conclusion, the terms “data security” and “data privacy” refer to different aspects of managing and protecting information. However, they are closely linked, as good data security is a fundamental precondition for maintaining data privacy, and privacy considerations help to shape security measures.
Parts
Definitions
The following terms have assigned meanings and require careful consideration-
–
Authorized persons: This usually refers to individuals who are allowed access to the data under the terms of the agreement. This could include employees, contractors, or third-party service providers. For example, your company’s IT team might be “authorized persons” who can access your servers to perform maintenance or updates.
Controller: This is a term from data protection law, particularly the GDPR. The controller determines the purposes and means of the processing of personal data. For instance, a retail company that collects customer information for marketing purposes would be the controller of that data.
Data incident: This generally refers to any event that leads to unauthorized or unlawful access, loss, destruction, alteration, or disclosure of Protected Data. For example, if a hacker were to break into a company’s systems and steal customer data, that would be a data incident.
Data protection laws: These are the laws and regulations that govern the collection, use, storage, and sharing of personal data. They vary from place to place. In Europe, the main data protection law is the General Data Protection Regulation (GDPR). In the US, different states have different laws, like the California Consumer Privacy Act (CCPA).
Excluded data: This typically refers to data that is not covered by the agreement for one reason or another. The exact nature of excluded data would be specified in your contract. For instance, credit card information can specifically be excluded as the Processor does not want to take the risk of processing this type of information..
Main agreement: This is the primary contract to which the data protection schedule is attached. The main agreement would cover the overall terms of the relationship between the parties, while the data protection schedule focuses specifically on how data is to be handled.
Processor: This is another term from the GDPR. A processor is a person or entity that processes personal data on behalf of the controller, based on the controller’s instructions. For instance, a cloud storage company might be a processor if it stores customer data on behalf of a retail company.
Protected data: This usually refers to personal data that is covered by the agreement and must be protected according to its terms. This could include things like customer names and addresses, credit card numbers, or other personal information.
Restricted transfer: In the context of data protection law, this usually refers to transferring personal data outside the European Economic Area (EEA) in a way that doesn’t comply with the GDPR. The GDPR restricts such transfers to ensure that personal data isn’t sent to places where it won’t be adequately protected.
Services: This generally refers to the services being provided under the terms of the main agreement. For a tech contract, this could include things like software development, IT support, cloud storage, data analysis, and more.
Handling protected data
Next the parts dealing with the obligations of the parties need to be added.
–
Usage part
This part ensures that the data collected will only be used for the agreed-upon purpose. For instance, if a healthcare provider engages a data processing provider to manage patient data for the purpose of scheduling appointments, the provider cannot then use this data to create marketing profiles of the patients without explicit consent.
Disclosure part
This part is about preventing the disclosure of data to unauthorized individuals, with some exceptions. For example, if law enforcement requests access to data as part of a criminal investigation, the provider may be required to comply. But even in this situation, the provider should attempt to notify the customer about this request, unless prohibited by law or court order.
Liability part
This part means that the provider is held accountable for the actions of its authorized users. For instance, if an employee of the provider mishandles the data or causes a security breach, the provider would still be liable for any consequences, just as if they themselves had caused the breach.
Undertaking part:
This part means that any authorized persons (like employees or subcontractors) must agree in writing to abide by the data protection measures outlined in the contract. For example, the provider might require employees to sign a confidentiality agreement, committing them to use the data appropriately and maintain its security.
Processing of protected data
The following parts are generally addressed under processing of protected data-
Categories of data subjects
This part identifies the different types of individuals whose data will be processed. Data subjects might include categories like customers, employees, suppliers, or website users, among others. In a practical sense, if a company is hiring a third-party service provider to handle its HR functions, the category of data subjects could be “employees” as their personal data will be processed.
Categories of personal data
This part lists the types of personal data that will be handled. Personal data can include various categories like names, contact details, financial information, health information, etc. For example, in the case of an email marketing service provider, the categories of personal data might include items like email addresses, names, and purchase histories.
Nature of processing
This part describes what will be done with the personal data. Processing can include a range of activities, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. For instance, a cloud storage provider might store (a form of processing) customer files, while an email marketing service might collect, store, and use (all forms of processing) email addresses to send newsletters.
Duration of Processing:
This part specifies how long the personal data will be processed, or the conditions that determine this period. This could be a set time period (like one year), a relative time period (like “for the duration of the customer’s contract”), or based on a specific event (like “until the user requests deletion”). For instance, a software-as-a-service provider might process customer data for the duration of the customer’s subscription, or a healthcare provider might store patient records for a period defined by medical record retention laws.
–
These parts are important for ensuring transparency and compliance with data protection regulations. They provide clear guidance to the provider about how they can use the data they’re handling, and help ensure that the data is used appropriately and legally.
Technical and organizational measures
Technical and Organizational Measures (often referred to as TOMs) are precautions taken by an organization to protect personal data and to prove compliance with various aspects of privacy laws, like GDPR in the EU. They are essentially the steps a company takes to ensure data is secure, privacy is maintained, and that they can demonstrate this security and privacy to external auditors or authorities. Below are examples of technical and organizational measures often included as part of the data protection block.
Measures
Here are a couple of examples of measures of pseudonymisation and encryption of personal data that may be included as part of the Data Processor’s obligations when handling Personal Data-
Data Masking: The Data Processor needs to hide personal data using standard techniques, making it hard to identify the individual from the altered data.
Irreversible Masking: The Data Processor must ensure that once the data is masked, it cannot be changed back to the original form or used to identify the person it belongs to.
Tokenization: The Data Processor should use a safe system to replace sensitive data with unique, non-sensitive tokens (like codes) that don’t reveal the actual data.
Secure Tokens: The Data Processor must make sure that these tokens can’t be connected back to the original data without access to the tokenization system.
Secure Storage: The Data Processor needs to store the tokens and their corresponding data mappings separately in a safe, protected environment.
Encryption: The Data Processor must use industry-standard methods to protect personal data by scrambling it, both when it’s stored and when it’s being transferred.
Encryption Types: The Data Processor should use Advanced Encryption Standard (AES) for symmetric encryption and RSA or ECC for asymmetric encryption, or equally secure alternatives.
Key Management: The Data Processor must set up and maintain secure processes to manage encryption keys, including creating, storing, and distributing them.
Here are a couple of examples of measures of measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services that may be included as part of the Data Processor’s obligations when handling Personal Data-
Access Control: The Data Processor should use appropriate methods to limit access to personal data, allowing only those who absolutely need it.
Review Access Permissions: The Data Processor should regularly check and update who has access to personal data, making sure only authorized personnel can access it.
Network Segmentation: The Data Processor should separate systems with personal data from other systems or networks to keep them isolated.
Enforce Segmentation: The Data Processor should use firewalls, virtual LANs (VLANs), or other suitable technologies to reinforce network separation and reduce the risk of unauthorized access.
Intrusion Detection and Prevention: The Data Processor should use systems that monitor and protect networks and systems containing personal data from unauthorized access or attacks.
IDPS Updates: The Data Processor should regularly update these systems with the latest threat information and make sure they’re configured to quickly detect and respond to potential security incidents.
Security Patch Management: The Data Processor should have a process to quickly find, evaluate, and apply security updates to systems handling personal data.
Prioritize Critical Patches: The Data Processor should focus on deploying important security updates first to minimize the risk of known vulnerabilities being exploited.
Backup and Disaster Recovery Plan: The Data Processor should have a plan to recover personal data and systems quickly in case of disruptions or failures.
Regular Backups: The Data Processor should frequently back up personal data and store copies in secure, geographically separate locations.
Redundancy and Fault Tolerance: The Data Processor should use measures like redundant power supplies, RAID configurations, and load balancing to keep systems handling personal data continuously available and resilient.
Test and Evaluate: The Data Processor should periodically test these measures to ensure the ongoing reliability of systems and services.
Here are a couple of examples of measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident that may be included as part of the Data Processor’s obligations when handling Personal Data-
Regular Backups: The Data Processor should frequently back up personal data following a set schedule and backup retention policy.
Integrity and Confidentiality: The Data Processor should use suitable encryption and access control methods to keep backed-up personal data secure and accurate.
Off-site Storage: The Data Processor should store backup copies of personal data in safe, geographically separate locations to reduce the risk of data loss from local incidents.
Physical and Technical Security: The Data Processor should use proper security measures to protect off-site backup storage locations from unauthorized access, theft, or damage.
Disaster Recovery Plan: The Data Processor should have a plan outlining how to restore personal data and systems if there’s a disruption or failure, and they should keep this plan updated.
Testing the Plan: The Data Processor should regularly test the disaster recovery plan to make sure it works effectively, and staff know how to follow it in case of an incident.
Business Continuity Plan: The Data Processor should have a plan that addresses potential risks and impacts on personal data processing due to physical or technical incidents.
Review and Update: The Data Processor should periodically review and update the business continuity plan, incorporating lessons learned from incident response exercises, testing, and real-world events.
Here are a couple of examples of processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing that may be included as part of the Data Processor’s obligations when handling Personal Data-
Security Audits: The Data Processor should regularly check and evaluate the effectiveness of security measures, policies, and procedures related to handling personal data.
Fix Deficiencies: The Data Processor should quickly address any weaknesses or vulnerabilities found and show evidence of improvements to the Data Controller.
Penetration Testing: The Data Processor should regularly test systems and networks that process personal data by simulating real-world attacks to identify potential weaknesses and vulnerabilities.
Independent Professionals: The Data Processor should hire qualified, independent experts to conduct penetration tests and quickly address any issues found.
Vulnerability Scans: The Data Processor should routinely scan systems and networks involved in processing personal data, using automated tools and methods to find potential security weaknesses.
Fix Vulnerabilities: The Data Processor should quickly address any vulnerabilities found and show evidence of improvements to the Data Controller.
Security Awareness Training: The Data Processor should provide regular training to employees handling personal data, ensuring they understand their responsibilities and the security measures needed to protect the data.
Training Records: The Data Processor should keep records of completed training and update the training content periodically to address new threats and security best practices.
Here are a couple of examples of measures for user identification and authorization that may be included as part of the Data Processor’s obligations when handling Personal Data-
MFA (Multi-Factor Authentication): The Data Processor should require all users accessing systems with personal data to use at least two different types of authentication, like a password, a token, or a biometric feature.
RBAC (Role-Based Access Control): The Data Processor should give users permissions and access rights based on their job roles and responsibilities, making sure they only have the minimum access needed to do their jobs.
SSO (Single Sign-On): When possible, the Data Processor should use SSO solutions to make it easier for users to access multiple systems with personal data using one login, while still maintaining strict access controls and security measures.
Password Policies: The Data Processor should have strong password policies for users accessing systems with personal data, including rules for password complexity, length, and expiration.
Secure Password Handling: The Data Processor should also use secure methods for storing, transmitting, and resetting passwords, making sure they are protected from unauthorized access and disclosure.
Here are a couple of examples of measures for the protection of data during transmission that may be included as part of the Data Processor’s obligations when handling Personal Data-
Secure Communication Protocols: The Data Processor should use secure protocols like HTTPS, TLS, or VPNs to encrypt data sent between systems, networks, and users, making sure personal data stays private and safe while being transferred.
Email Security: The Data Processor should use email security measures like encryption, digital signatures, and anti-phishing filters to protect personal data sent through email and reduce the risk of unauthorized access or disclosure.
Antivirus and Anti-Malware: The Data Processor should keep antivirus and anti-malware software up-to-date on all devices used to access or send personal data, ensuring data transmissions are safe from malicious software and unauthorized access.
DLP (Data Loss Prevention): The Data Processor should use DLP solutions to monitor and control the transfer of personal data, stopping unauthorized or accidental data leaks and making sure personal data is only sent to authorized recipients and systems.
Here are a couple of examples of measures for the protection of data during storage that may be included as part of the Data Processor’s obligations when handling Personal Data-
Encrypt Stored Data: The Data Processor should encrypt personal data stored in databases or other storage systems, using strong encryption methods like AES-256 or similar.
Secure Storage Infrastructure: The Data Processor should have a safe storage environment for personal data, with proper security measures like access controls, firewalls, and intrusion detection and prevention systems.
Security Updates: The Data Processor should quickly apply security updates and patches to storage systems, addressing potential vulnerabilities and reducing the risk of unauthorized access to stored personal data.
Access Control Policies: The Data Processor should have strict rules for accessing systems and devices storing personal data, allowing only authorized personnel to access them.
Monitor and Log Access: The Data Processor should keep track of and record access to stored personal data, allowing for quick detection and response to potential security incidents.
Secure Data Disposal: The Data Processor should follow safe procedures to dispose of personal data that is no longer needed or required to be kept, making sure the data is permanently deleted and can’t be recovered or accessed by unauthorized parties.
Here are a couple of examples of measures for ensuring physical security of locations at which personal data are processed that may be included as part of the Data Processor’s obligations when handling Personal Data-
Strict Access Controls: The Data Processor should use strong access controls like card readers, biometric authentication, or security personnel to limit access to areas where personal data is processed, allowing only authorized personnel inside.
Security Monitoring: The Data Processor should constantly monitor processing locations using security measures like video surveillance, intrusion detection systems, and alarms to detect and respond to potential security breaches or unauthorized access.
Visitor Management: The Data Processor should have a process for managing visitors, including identification, registration, and supervision, to make sure unauthorized people don’t access locations where personal data is processed.
Secure Storage Solutions: The Data Processor should use secure storage options like locked cabinets or secure server rooms for physical records with personal data, and maintain a clean desk policy to reduce the risk of unauthorized access or data theft.
Environmental Controls: The Data Processor should install and maintain controls like fire suppression systems, climate control, and uninterruptible power supply (UPS) systems to protect processing locations and personal data from damage caused by fire, water, power outages, or other environmental threats.
Here are a couple of examples of measures for ensuring events logging that may be included as part of the Data Processor’s obligations when handling Personal Data-
Comprehensive Logs: The Data Processor should keep detailed logs of events related to personal data processing, such as access, changes, deletion, transmission, security incidents, and system activities.
Log Retention Policy: The Data Processor should have a policy for how long logs are kept and the secure storage methods used to protect logs from unauthorized access, tampering, or deletion.
Log Monitoring and Analysis: The Data Processor should regularly review logs for any suspicious or unauthorized activities, making sure potential security incidents are quickly detected and addressed.
Restricted Access to Logs: The Data Processor should allow only authorized personnel to access event logs, using appropriate access controls to protect logs from unauthorized access, tampering, or deletion.
Auditable Trail of Events: The Data Processor should maintain a clear and auditable record of events related to personal data processing, allowing for the reconstruction of activities and providing evidence of compliance with data protection requirements.
Here are a couple of examples of measures for ensuring system configuration, including default configuration that may be included as part of the Data Processor’s obligations when handling Personal Data-
Secure Baseline Configurations: The Data Processor should set up secure baseline configurations for systems processing personal data, using industry best practices and security standards to minimize potential risks and vulnerabilities.
Configuration Management Process: The Data Processor should have a process for tracking, controlling, and documenting changes to systems and their configurations, making sure that any changes are properly authorized, tested, and documented.
Review and Update Configurations: The Data Processor should regularly review and update system configurations, including default settings, to address new threats, vulnerabilities, and technological advancements, ensuring ongoing security.
System Hardening: The Data Processor should use system hardening techniques like disabling unnecessary services, removing default accounts, and configuring access controls to reduce the attack surface and minimize the risk of unauthorized access or data breaches.
Patch Management Process: The Data Processor should have a process for regularly updating systems with security patches and software updates, ensuring that known vulnerabilities are quickly addressed and mitigated.
Here are a couple of examples of measures for internal IT and IT security governance and management that may be included as part of the Data Processor’s obligations when handling Personal Data-
Comprehensive IT Security Policy: The Data Processor should create and update an IT security policy that outlines their commitment to protecting personal data and provides guidance on implementing security controls, procedures, and best practices.
Dedicated IT Security Team: The Data Processor should appoint a dedicated IT security team, led by a qualified professional, responsible for managing and improving security measures related to personal data processing.
Risk Management Process: The Data Processor should implement a process to identify, assess, and mitigate potential risks to personal data, ensuring appropriate controls are in place to minimize the likelihood and impact of security incidents.
Incident Response Plan: The Data Processor should develop and maintain a plan that outlines procedures for detecting, containing, and recovering from security incidents, as well as reporting breaches to the Data Controller and relevant authorities, as required.
Regular IT Security Training: The Data Processor should provide regular security training and awareness programs to all employees involved in personal data processing, ensuring they understand their responsibilities and are aware of security best practices and potential threats.
Periodic Security Assessments and Audits: The Data Processor should conduct regular security assessments and audits to review the effectiveness of implemented security measures and ensure ongoing compliance with internal policies and regulatory requirements.
Here are a couple of examples of measures for certification or assurance of processes and products that may be included as part of the Data Processor’s obligations when handling Personal Data-
Industry Certifications: The Data Processor should obtain and maintain relevant industry certifications, such as ISO 27001, SOC 2, or GDPR-specific certifications, to show that they comply with established security standards and best practices related to personal data processing.
Independent Audits and Assessments: The Data Processor should have qualified, independent third parties conduct regular audits and assessments to validate the effectiveness of security measures and ensure ongoing compliance with data protection requirements.
Continuous Improvement Process: The Data Processor should implement a process to monitor, evaluate, and update security measures, processes, and products to address emerging threats, vulnerabilities, and technological advancements, ensuring personal data remains protected.
Monitoring Third-Party Compliance: The Data Processor should assess and monitor the compliance of vendors, subcontractors, and other third parties involved in personal data processing, ensuring they maintain the same level of certification and assurance for their processes and products.
Maintain Documentation: The Data Processor should maintain documentation related to certifications, audit findings, and corrective actions, providing the Data Controller with evidence of compliance and assurance for its processes and products upon request.
Here are a couple of examples of measures for ensuring data minimization that may be included as part of the Data Processor’s obligations when handling Personal Data-
Processing for Specific Purposes: The Data Processor must only process personal data for specific purposes defined by the Data Controller and not process data for any other purpose without explicit authorization.
Data Minimization: The Data Processor must follow data minimization principles by collecting and processing only the minimum amount of personal data necessary to fulfill the specific purpose, ensuring no excessive data is collected or retained.
Restrict Processing: The Data Processor must limit the processing of personal data to the minimum extent required to achieve the defined purpose, avoiding any unnecessary or excessive processing activities.
Data Retention Policy: The Data Processor must establish and follow a data retention policy that specifies how long personal data is stored and securely deletes data when it is no longer needed, ensuring data is not retained longer than necessary.
Periodic Review and Deletion: The Data Processor must periodically review the personal data it processes and securely delete any data that is no longer necessary or relevant to the purpose for which it was collected.
Here are a couple of examples of measures for ensuring data quality that may be included as part of the Data Processor’s obligations when handling Personal Data-
Data Accuracy: The Data Processor must implement measures to ensure personal data is accurate, up-to-date, and complete, regularly validating and updating data as needed to maintain its accuracy.
Validation and Integrity Checks: The Data Processor must employ data validation and integrity checks during data collection, processing, and storage to minimize the occurrence of errors, inconsistencies, or corruption in personal data.
Correction and Updating Procedures: The Data Processor must establish procedures for the prompt correction or updating of personal data upon request or when inaccuracies are identified, ensuring that data quality is maintained over time.
Standardized Procedures: The Data Processor must implement standardized data processing procedures to minimize the risk of human error or inconsistencies that could negatively impact data quality.
Quality Control and Monitoring: The Data Processor must implement ongoing quality control and monitoring processes to identify and address any data quality issues, regularly reviewing and adjusting these processes as needed to maintain high-quality personal data.
Here are a couple of examples of measures for ensuring limited data retention that may be included as part of the Data Processor’s obligations when handling Personal Data-
Data Retention Policy: The Data Processor must establish and follow a data retention policy that specifies the duration for which personal data is retained, considering legal, regulatory, and contractual requirements, as well as the purpose for which the data was collected.
Secure Data Deletion: The Data Processor must implement secure data deletion procedures to ensure that personal data is irretrievably deleted once it is no longer necessary for the specified purpose or when the retention period has expired.
Periodic Data Review: The Data Processor must periodically review the personal data it holds to identify and securely delete any data that is no longer necessary or has exceeded the defined retention period, ensuring that data is not retained longer than required.
Archiving and Destruction Procedures: The Data Processor must establish and follow procedures for archiving and securely destroying personal data when it is no longer needed, ensuring that archived data is protected from unauthorized access and that destruction methods render the data irrecoverable.
Employee Awareness: The Data Processor must ensure that all employees involved in personal data processing are aware of the data retention policy and its requirements, promoting adherence to limited data retention practices.
Here are a couple of examples of measures for ensuring accountability that may be included as part of the Data Processor’s obligations when handling Personal Data-
Appoint a Data Protection Officer: The Data Processor must appoint a qualified Data Protection Officer (DPO) who will oversee data protection activities, ensure compliance with data protection regulations, and serve as the point of contact for the Data Controller and relevant authorities.
Data Protection Policies and Procedures: The Data Processor must establish, maintain, and regularly update comprehensive data protection policies and procedures that outline the organization’s commitment to protecting personal data and provide guidance on implementing security controls, procedures, and best practices.
Record of Processing Activities: The Data Processor must maintain a detailed Record of Processing Activities (ROPA) that documents the processing of personal data, including the purpose, categories of data, data subjects, and any data transfers, ensuring that processing activities are transparent and accountable.
Compliance Monitoring: The Data Processor must regularly monitor and assess its compliance with data protection requirements, reporting any breaches or non-compliance to the Data Controller and relevant authorities, as required.
Data Protection Impact Assessments: The Data Processor must conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, identifying potential risks and implementing appropriate mitigating measures to ensure the protection of personal data.
Data Processing Agreements: The Data Processor must establish Data Processing Agreements (DPAs) with all subprocessors, ensuring that they maintain the same level of data protection and security as the Data Processor, and are accountable for their processing activities.
Data Protection Training: The Data Processor must provide regular data protection training and awareness programs to all employees involved in personal data processing, ensuring that they understand their responsibilities and are aware of data protection best practices and potential threats.
Here are a couple of examples of measures for allowing data portability and ensuring erasure that may be included as part of the Data Processor’s obligations when handling Personal Data-
Data Portability Procedures: The Data Processor must establish and follow procedures to facilitate data portability, enabling data subjects to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit this data to another controller without hindrance.
Data Export Formats: The Data Processor must provide appropriate data export formats and mechanisms to ensure the seamless transfer of personal data between different systems and controllers, while maintaining the integrity, confidentiality, and security of the data.
Secure Data Erasure: The Data Processor must implement secure data erasure procedures to ensure that personal data is irretrievably deleted upon the data subject’s request or when it is no longer necessary for the specified purpose, in accordance with the data retention policy.
Prompt Response to Requests: The Data Processor must promptly respond to data subject requests for data portability or erasure, ensuring that these requests are fulfilled within the timeframes specified by applicable data protection regulations.
Documentation of Requests: The Data Processor must maintain documentation of all data subject requests for portability and erasure, including the actions taken and the date of completion, to demonstrate compliance with data protection requirements.
Employee Training: The Data Processor must provide regular training and awareness programs for employees involved in personal data processing, ensuring that they understand their responsibilities related to data portability and erasure and are aware of the relevant procedures and best practices.
Parts
Sub-processors
A Data Protection Impact Assessment (DPIA) is a systematic process used to evaluate the potential impact that a data processing activity can have on the privacy of individuals. The purpose of the DPIA is to identify and minimize data protection risks related to a project or a processing operation. Under the GDPR, DPIAs are mandatory for data processing activities that may result in high risk to individuals’ privacy rights.
–
The purpose of the Data Protection Impact Assessment part in the Data Protection Schedule is to ensure that the data processor assists the data controller in complying with the obligations related to the DPIA. The processor may provide useful information to the controller, for example about the technical and organizational measures they have in place to safeguard personal data.
Related fees and costs
Assisting data controllers with their obligations relating to the processing of personal information can be time-consuming and resource-intensive. Depending on the nature of the assistance required, the processor might need to dedicate significant staff hours to the task, use certain technical resources, or even seek external legal or technical expertise. As such, it can impose additional operational and financial burdens on the processor.
–
To cover these costs, the data processor might include a part in the data processing block stating that the data controller will pay fees for any assistance the processor provides in helping the controller fulfil its data protection obligations.
–
This approach allows the processor to recover the costs of providing this assistance. It can also incentivize the processor to provide timely and effective assistance since they know their efforts will be compensated. However, any such fees would generally need to be reasonable and reflect the actual costs incurred by the processor.
–
It’s also worth noting that this kind of fee arrangement needs to be agreed upon in advance to prevent any disputes down the line.
Access rights
The data controller generally wants to ensure they have adequate access to the protected data processed by the data processors.
–
This access is important for multiple reasons:
Compliance: The data controller is responsible for ensuring that data processing activities comply with applicable data protection laws. They need access to the data and related processing activities to verify compliance.
Data Subject Requests: Under data protection laws, data subjects (the individuals to whom the data pertains) have certain rights, such as the right to access their data, correct it, or delete it. The data controller needs to access the data to fulfil these requests.
Auditing and Monitoring: The data controller may need to audit the data processing activities for compliance with internal policies, regulatory requirements, or contractual obligations. They also need to monitor data processing activities on an ongoing basis to detect and address any issues promptly.
–
From the data processor’s perspective, they want to be compensated should the provision of the access require any time or costs on their side. It is therefore important that data processor reserves a right to recover costs associated with providing assistance to the data controller.
–
Assisting with data access and copying can involve significant time and resources, particularly if the data is large in volume or complex in nature. By allowing the data processor to charge for this assistance, the provision ensures that the processor is compensated for their work and resources. This can also incentivize the processor to provide timely and effective assistance, as they know that they will be compensated for their efforts.
–
By including these parts in the data protection schedule, both parties can ensure that they are fulfilling their obligations under data protection law, while also addressing practical considerations like cost recovery. These provisions can help to maintain a balanced and effective data processing relationship.
Protected data requests
A protected data request is typically a request from a data subject (an individual to whom the data pertains) seeking to exercise their rights under data protection laws. These rights can include:
Right to Know: This is the data subject’s right to know what personal data a data controller has about them, why it’s being processed, and who it’s being shared with.
Right to Deletion or Right to be Forgotten: This is the right to have personal data deleted or removed, under certain conditions.
–
These rights are established by data protection laws, such as the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the US.
–
Generally, if the data processor receives such a request (referred to as a “Consumer Request”), they should not respond to it without written authorization from the data controller. This is because the data controller is typically responsible for managing interactions with data subjects, including handling data subject requests. The processor’s role is to process data on behalf of the controller, not to manage these data subject interactions.
–
The part also indicates that the data processor should comply with the data controller’s reasonable written instructions regarding how to handle Consumer Requests, as long as those instructions are in line with applicable data protection laws. The processor should do this at the expense of the data controller, meaning that the controller covers the costs associated with handling the request.
Audits
This part of the data protection schedule addresses the data controller’s right to audit the data processor’s processing of the protected data. This right is crucial because it allows the controller to verify that the processor is complying with applicable data protection laws, contractual obligations, and industry standards.
–
Here are the parts are generally included:
- Compliance with Industry Standards: The processor must maintain annually updated compliance reports and certifications, such as ISO (International Organization for Standardization) or SOC II (System and Organization Controls II). These standards pertain to information security management and are globally recognized. Compliance with these standards provides assurance that the processor has robust security controls in place to protect the data they handle.
- Provision of Certifications and Reports: The processor must provide the controller with a copy of their most recent certifications and compliance reports upon request, and then annually within 30 days of completion. This allows the controller to review the processor’s compliance status on an ongoing basis.
- Addressing Deficiencies and Changes: If any deficiencies are identified or changes suggested in relation to the services provided under the agreement, the processor must make reasonable efforts to address these promptly. This ensures that any potential data protection issues are resolved in a timely manner.
- Protection of Other Customers’ Data: The processor is not required to permit any audit that could compromise the security of their other customers’ data. This recognizes the processor’s obligation to protect all the data they handle, not just the data of the requesting controller.
- Confidentiality of Reports: Any report provided under this schedule must be treated as confidential information. This helps to protect sensitive information about the processor’s data handling practices and security controls.
–
These parts help to ensure transparency, accountability, and continuous improvement in the processor’s data protection practices. They provide the controller with the tools and information they need to oversee the processing activities and fulfill their obligations under data protection law. They also recognize the processor’s need to protect the data and interests of all their customers.
Data incidents
These parts detail the obligations that the data processor has to the data controller in the event of a data incident, which could be a data breach or any other situation where protected data is potentially compromised. These obligations are crucial for responding effectively to such incidents and minimizing any damage.
Prompt Notification: The data processor must notify the data controller promptly, and within 24 hours, using real-time communication methods such as telephone or in-person communication. This ensures that the controller is aware of the incident as soon as possible so they can begin responding.
Cooperation with Law Enforcement: The processor should cooperate with any law enforcement agencies involved in investigating and resolving the incident. This can help to identify the cause of the incident, apprehend any perpetrators, and prevent similar incidents in the future.
Assistance in Notifying Third Parties: The processor should provide reasonable assistance in notifying any third parties that need to be informed about the incident. This could include other businesses, regulatory bodies, or affected data subjects.
Compliance with Data Breach Laws: The processor must comply with all applicable laws governing data breach notification and response. This could include laws requiring notification to certain authorities or affected individuals, offering identity theft protection to affected individuals, etc.
Compensation for Notification Expenses: If the incident is due to the processor’s breach of the agreement or negligence, they must compensate the controller for reasonable expenses associated with notifying consumers. This can help the controller cover the costs of this critical response activity.
Access to Records: The processor should give the controller access to any records related to the incident that the controller may reasonably request, treating such records as confidential information. The processor is not required to provide access to records that could compromise the security of other customers.
Designated Security Contact: The processor should provide a primary security contact who is available 24/7 to assist in resolving obligations associated with a data incident. Having a dedicated point of contact can facilitate effective communication and response.
–
These provisions are designed to ensure an effective and coordinated response to any data incident, minimizing harm and ensuring compliance with all applicable laws. It also maintains the responsibility of the data processor in case of negligence, reinforcing the importance of secure data processing practices.
Deletion of protected data
The part of a data protection schedule or agreement that addresses the deletion of protected data typically sets out the obligations for the data processor to delete or return all protected data in their possession or control once the agreement ends or upon the data controller’s request.
Timing of Deletion: The data processor is required to delete or return all protected data immediately after the end of the services or upon the data controller’s request. In some cases, a specific timeframe may be specified, such as 30 days after termination of the agreement.
Method of Deletion: The data processor should delete the data securely and in accordance with approved data destruction methods. This is to ensure that the data cannot be accessed or recovered after deletion.
Confirmation of Deletion: The data processor may also be required to provide confirmation or evidence that the data has been deleted. This could take the form of a written confirmation or a certificate of destruction.
Exceptions: In certain cases, the processor may be allowed to retain some data if required by law, such as for record-keeping or reporting purposes. However, they would still need to continue protecting this data according to the data protection regulations and the agreement.
–
These obligations are crucial for ensuring that protected data is handled appropriately even after the agreement ends. They help to prevent unauthorized access or disclosure of the data and maintain compliance with data protection laws. The deletion of protected data is an integral part of data lifecycle management and is important for upholding the principles of data minimization and storage limitation, which require that personal data is only kept as long as necessary.
Restricted transfers
Restricted transfers refer to the transfer of personal data outside of the country in which it was originally collected, particularly from a country with strong data protection laws, such as member countries of the European Economic Area (EEA), to countries with differing data protection laws.
–
Under data protection laws like the General Data Protection Regulation (GDPR), such transfers are restricted to ensure that the level of protection guaranteed to personal data is not undermined. Therefore, a restricted transfer can only take place if certain conditions are met.
–
A transfer mechanism is a legal tool that provides a way to comply with the conditions for restricted transfers. They ensure that data transferred internationally is subject to equivalent data protection standards as in the originating country. Here are the key transfer mechanisms:
Adequacy Decisions: The European Commission can determine that a non-EEA country offers an adequate level of data protection, meaning that data can be transferred there without needing any further safeguard.
Standard Contractual Clauses (SCCs): These are sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include obligations on the data importer and rights for the individuals whose personal data is transferred.
Binding Corporate Rules (BCRs): These are internal rules adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.
Derogations: In certain circumstances, transfers can be made under derogations, such as when the data subject has explicitly consented to the proposed transfer.
–
In tech contracts, clauses pertaining to restricted transfers and transfer mechanisms ensure that any data shared between parties, especially when crossing national borders, adheres to the appropriate data protection laws. These parts are important to help maintain the privacy rights of individuals and fulfil the legal obligations of businesses.
Order of precedence
This part essentially establishes an order of precedence in the event of any conflicting terms or conditions between different documents or parts of an agreement.
–
For example, an order of precedence may be-
The Transfer Mechanism: Transfer mechanisms are legal tools that allow data to be transferred internationally while still complying with data protection laws. If there’s a conflict between the transfer mechanism and the other documents, the provisions in the transfer mechanism will prevail. This acknowledges the fact that data protection laws, especially those around international data transfers, can have significant legal implications, and the parties must strictly adhere to these laws.
This Schedule: If there is a conflict between this data protection schedule and the main agreement, the terms in this data protection schedule take precedence. This emphasizes the importance of data protection and ensures that any commitments made in this schedule are upheld even if they conflict with other terms in the main agreement.
The Main Agreement: This refers to the overall contract or agreement between the two parties. If there’s no conflict with the transfer mechanism or data protection schedule, then the terms of the main agreement prevail. The main agreement often covers a broad range of topics beyond data protection, such as service delivery terms, payment terms, etc.
–
The purpose of establishing an order of precedence is to provide clear guidance on which document’s terms are superior in the event of conflicting provisions. It eliminates ambiguity and aids in dispute resolution, thereby offering a smoother contractual and operational relationship between the parties involved.
Breach and equitable relief
These parts address the implications of breaching the obligations in the data protection schedule and the possible remedies in such cases:
Deemed Material Breach: The first part asserts that any violation of the obligations under the data protection schedule is considered a severe or “material” breach of the entire agreement. This highlights the significance of the data protection provisions and the severe consequences of failing to uphold them. A material breach usually provides the non-breaching party with grounds to terminate the agreement and potentially seek damages.
Equitable Relief and Injunctive Relief: The second part acknowledges the unique challenges of remedying a data protection breach. It essentially states that, due to the nature of data breaches, the usual legal remedies (like damages) might not be adequate. Data breaches can have intangible and far-reaching effects that are difficult to quantify. As a result, injunctive relief, which is a court order to do or stop doing something (in this case, to stop any behavior breaching the schedule), might be the best solution. It also states that the data processor agrees that injunctive relief is appropriate without the need for the data controller to demonstrate actual harm or post a bond, which are often required in such cases. This waiver is subject to any limits in applicable data protection laws.
Successors in Obligation: Lastly, the part highlights that these obligations extend to the data processor’s successors, including any trustees in bankruptcy. This ensures continuity of data protection obligations even in events such as bankruptcy or a change in the data processor’s organizational structure.
–
Overall, these parts are designed to ensure that the data processor understands the gravity of their data protection responsibilities and the severe consequences for failing to fulfill them, thus strengthening the overall data protection mechanism in place.
Important considerations
World Commerce Principles
World Commerce and Contracting has provided the following principles:
–
- A security environment should be designed based on the assumption that security or process failures may occur and that there needs to be multiple layers of protection to guard against Protected Data Losses.
- Contract terms should reflect a balance of cost and benefit in the security environment. Customers and suppliers can more effectively reduce operational risks of Protected Data Losses by focusing on – and clearly delineating – their respective security obligations (e.g., meeting industry standards, timely notice of data breaches) in a shared responsibility matrix rather than by focusing solely on liabilities in the event of a Protected Data Non-Compliance.
- The extent to which a party will conform to particular industry security standards or will meet custom/more exacting requirements is a commercial issue that should be negotiated based on the data to be shared and the resources available to each of the parties.
- Liability for Protected Data Non-Compliance should be based on the same principles as applied for other contract breaches – liability should be based on sufficient proof of the breach, should be proportionate to fault, and should reflect a fair allocation of risk as agreed to by the parties. In addition, each party should have an obligation to mitigate damages.
Related articles
Important Considerations for Data Protection Schedules
Important Considerations for Data Protection Schedules Read now! Derick, Vector...
Read More
7 Responses