GDPR: The Most Frequently Asked Questions: Are the Standard Contractual Clauses Enough?

Transcription

1 GDPR: The Most Frequently Asked Questions: Are the Enough? February 2, 2018 The European Union s General Data Protection Authors/Presenters Regulation ( GDPR ) is arguably the most comprehensive and complex data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR. To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the David A. Zetoony Partner Boulder, Colorado David.Zetoony@bclplaw.com questions most frequently asked by clients concerning the GDPR. Question: If a service provider has already agreed to the controller-processor standard contractual clauses, are you required to put additional GDPR-related contractual provisions in place? Answer: Yes. The GDPR imposes two requirements when a company (referred to in the GDPR as a data controller ) uses a service provider (referred to in the GDPR as a data processor ). Page 1 of 12

2 The first requirement is that if a data controller is based in the EEA and is transferring personal data to a processor that is based outside of the EEA, the parties must take steps to ensure that the jurisdiction in which the data is going has an adequate level of protection. 1 When the GDPR refers to an adequate level of protection it is not talking about the security of the data. Instead, it is referring to the protections afforded by the laws of the country to which the data will be transferred. Under the GDPR, a jurisdiction typically affords data an adequate level of protection if one of four factors exist. First, the EU Commission can evaluate the laws of the foreign country and find that they are per se similar in nature to the GDPR. Second, the entity that will be receiving the data can enter into binding corporate rules. These refer to internal policies and procedures that have been presented to, and approved by, European data protection authorities. 2 Third, a legally binding and enforceable instrument can be created between governments to facilitate the data transfer. An example of such an instrument is the EU-US Privacy Shield framework that was negotiated, and approved by the EU Commission, in Fourth, and most common, is the use by the contracting parties of contract provisions that have been pre-approved by the EU Commission as contractually guaranteeing an adequate level of protection. 4 While some companies integrate the standard contractual clauses into larger service provider agreements, other contracting parties execute the standard contractual clauses as a free-standing agreement. The second requirement imposed by the GDPR is that every service provider agreement must contain thirteen specific contractual provisions. Given the popularity of the standard contractual clauses, and the fact that they have been pre-approved by the EU Commission, many contracting parties assume that the standard contractual clauses incorporate all of these thirteen requirements. Unfortunately, they do not. The following chart summarizes the thirteen requirements within Article 28 and indicates which of those requirements are satisfied, partially satisfied, or not addressed by, the standard contractual clauses. Page 2 of 12

3 GDPR Controller-Processor Contractual Clauses Summary of Reference Requirement Explanation Requirement Satisfied by Clauses Page 3 of 12

4 1. Description of Processing. The contract must specify: 1. subject matter of processing. 2. duration of processing. 3. nature and purpose of Art. 23(3) Partial Gap Appendix 1 of the Contractual Clause describes (1) subject matter of processing, (2) nature and purpose of processing, (3) type of personal data, and (4) categories of data subjects. processing. 4. type of personal data to be processed 5. categories of data subjects about which the data relates. The standard contractual clause, and the Appendix, do not discuss the duration of processing. Page 4 of 12

5 2. Documented Instructions. A service provider can only process personal data consistent with a controllers documented instructions. Art. 28(3)(a) Satisfied. Clause 5(a) and (b) of the contain a requirement that processing can only occur based on a controller s instructions. 3. Confidentiality. It must contain a confidentiality provision. That provision must ensure that persons authorized to Art. 28(3)(b). Gap The do not contain a representation by a data importer concerning confidentiality. process personal data have committed themselves to confidentiality. Page 5 of 12

6 4. Processor Art. 28(1) Satisfied. Clause 5(c) of the Security. Service provider will Art. 28(3)(c) implement Art. 32(1) ( requires the appropriate technical processor to agree and organizational to the security measures to secure provisions contained information. in Appendix II. Presuming that Appendix II contains a description of appropriate security there would be no gap. 5. Subcontracting Art. 28(2) Satisfied. Clauses 5(h) and authorization. A service provider Art. 28(3)(d). 11(1) of the must obtain written authorization before requires that a subcontracting, and processor notify the must inform the controller before Company before it using a makes any changes Subprocessor, and to its subcontractors. obtain their prior written consent. Page 6 of 12

7 6. Subcontracting Art. 28(3)(d) Art. Satisfied. Clause 11(1) of the flow down 28(4) obligations. Service provider will flow requires that a down these processor flow down obligations to any obligations to any subprocessors. subprocessors. 7. Subcontracting liability. A service provider must remain fully liable to the controller for the performance of a sub-processors obligations.. Art. 28(3)(d) Satisfied. Clause 11(1) of the requires that a processor remain fully liable for the actions of its subprocessors. Page 7 of 12

8 8. Responding to Art. 28(3)(e) Partial Gap Clause 5(d)(iii) and data subjects. Service provider will Art clause 5(e) of the assist the Company to respond to any require that a requests by a data subprocessor notify subject. a controller of a data subject request. The clauses do not specifically discuss an obligation to cooperate in responding to such request. Page 8 of 12

9 9. Assisting Art. 28(3)(f) Art. 33 Gap Clause 5(d)(ii) Controller In 34 require that a Responding to Data processor notify a Breach. Service controller concerning provider will a subset of what the cooperate with GDPR defines to controller in the include a data event of a personal breach. It does not data breach. comply with the GDPR s timing requirements. It also does not discuss obligations to cooperate in investigations and response. 10. Assisting Art. 28(3)(f) Gap The Controller In Creating DPIA. Art. 35) do not discuss the Service provider will Art obligation of a cooperate with processor to controller in the participate in DPIA s event the controller conducted by a data initiates a data controller. protection impact assessment. Page 9 of 12

10 11. Delete or return data. Service provider will delete or return data at the end of the engagement. Art. 28(3)(g) Satisfied. Clause 12(1) of the requires a processor to delete or return data upon termination of the agreement. Page 10 of 12

11 12. Audit Right. Service provider will allow Company to conduct audits or inspections for compliance to these obligations. Art. 28(3)(h). Partial Clauses 5(f) and 12(2) of the refer to the ability of the data controller to audit or inspect the processor for compliance with the requirements of the clauses; as the clauses do not include all of the requirements of the GDPR the audit provision is technically narrower than is required under GDPR. Page 11 of 12

12 13. Cross-border Art. 28(3)(a) Partial The transfers. Service provider will not permit the transfer of transfer data outside Art. 46 data from the of the EEA without controller to a permission of processor that is not Company. based in the EEA. The clauses do not discuss whether the processor is permitted to engage in onward transfers to additional countries outside of the EEA. 1. GDPR, Art. 45(1). 2. GDPR, Art. 46(2)(b). 3. GDPR, Art. 46(2)(a). 4. GDPR, Art. 46(2)(c). RELATED PRACTICES Data Privacy and Security Team Page 12 of 12