Data protection clauses in commercial contracts. Amy Chandler & Paul Jonson

Transcription

1

2 Data protection clauses in commercial contracts Amy Chandler & Paul Jonson

3 Data controller/data processor 1. A company engages a payroll company to process payslips and make payments to its employees.

4 Data controller/data processor 2. A customer requests an insurance quote from an insurance broker. In order to obtain quotes from different insurance companies, the broker sends the customer s details and requirements to several insurance companies and sends the relevant quotes back to the customer. The customer decides to proceed with one of the quotes received.

5 Data controller/data processor 3. A government department that is responsible for paying benefits to individuals contracts with a private sector company to administer the benefits.

6 Data protection clauses Why so important? It is the duty of the data controller to comply with the Data Protection Act in respect of data for which it is the data controller. Data processors are not subject to these obligations. Data controllers liable for not only their own breaches but also the breaches of their data processors.

7 Brighton and Sussex University Hospitals NHS Foundation 28 May 2012 Hospital trust HIS subcontractor

8 Brighton and Sussex University Hospitals NHS Foundation 28 May 2012 Denis Radovanovic /shuttershock.com

9 DPA requirements DPA requires data controllers to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data (seventh principle)

10 DPA requirements The measures taken must ensure a level of security appropriate to: The level of harm that might result from unauthorised or unlawful processing or accidental loss or damage to data; and The nature of the data to be protected

11 DPA requirements Where processing is carried out by a data processor on behalf of a data controller, data controller must: choose a data processor providing sufficient guarantees in respect of the technical and organisational measures governing processing to be carried out; and take reasonable steps to ensure compliance with those measures

12 DPA requirements Data controller will not be considered to be complying with the 7 th principle unless the processing is carried out under a written contract: Under which the data processor is required to act only on the instructions of the data controller; and Which requires the data processor to comply with obligations equivalent to those imposed on a data controller under the 7 th principle

13 Data transfers outside the EEA Personal data must not be transferred to a country outside the EEA unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data (eighth principle)

14 Data transfers outside the EEA Is the country on the EU Commission safe list? See: If in the US, has the company signed up to the safe harbor scheme? Do any exemptions apply? Assess adequacy?

15 Data transfers outside the EEA Exemptions (Schedule 4 DPA). Eg s: Data subject has consented Transfer necessary for performance of contract between data controller and data subject Transfer necessary for conclusion of contract between data controller and another person which is entered into at data subject s request or is in the data subject s interests

16 Data transfers outside the EEA EC model data processing clauses: Controller to controller clauses: OJ:L:2004:385:0074:0084:EN:PDF Controller to processor clauses: OJ:L:2010:039:0005:0018:EN:PDF

17 Privacy and Electronic Communications Regulations 2003 Need consent to send unsolicited direct marketing communications by electronic mail to individuals unless: Obtained their contact details in the course of a sale or negotiations for a sale of a product or service Marketing communications relate to similar products or services of yours Individual given simple means of refusing consent (at time when details collected and in each subsequent communication)

18 Paul Jonson Tel: Amy Chandler Tel: