GDPR & The Ad Agency: Understanding the Impact of the GDPR on Agency Services Agreements

Transcription

1

2 GDPR & The Ad Agency: Understanding the Impact of the GDPR on Agency Services Agreements 2018 LOEB & LOEB LLP

3 Understanding Your Role and Obligations Controller legal person... which, alone or jointly with others, determines the purposes and means of the processing of personal data Processor legal person which processes personal data on behalf of the controller Joint Controller Two or more controllers that jointly determine the purposes and means of processing LOEB & LOEB LLP

4 How to Determine the Agency s Role Consider: What is the source of the data? Is it a Client s first party data or sourced from a third party? Who determines the techniques used for processing? Is the data used for a specific client or used across all clients? Is the data incorporated into the Agency s own products and services? Depending on the control you have over the data, you may be a controller, a processor or a joint controller this determination is based on your activities, it cannot be determined by contract LOEB & LOEB LLP

5 Processing Activities Media Planning Media Buying via Client-Preferred DSPs Using Client Data for Data Driven Advertising LOEB & LOEB LLP

6 Controller/Joint Controller Activities In-House Business Intelligence Tools In-House Reporting/Measurement Tools In-House Programmatic Buying In-House DMP/DSP LOEB & LOEB LLP

7 Consider the Responsibilities/Obligations As processors: You can only process data as permitted by controller agreements You will need prior consent to engage vendors ( subprocessors ) As controllers, you have more control, but: You may have direct responsibility for honoring data subject rights You have more detailed record keeping obligations You are directly responsible for security breach notification obligations **Joint-controllers will need to allocate responsibilities via contracts LOEB & LOEB LLP

8 Digging into Data Processing Agreements 2018 LOEB & LOEB LLP

9 Data Processing Agreements Required. Contracts with data processors must contain the following (Article 28.3, Recital 81): The subject matter and duration of the processing The nature and purpose of the processing The type of personal data and categories of data subjects The obligations and rights of the controller LOEB & LOEB LLP

10 Data Processing Agreement Required. Contracts must require the processor to do each of the following (Article 28.3): Only act on the written instructions of the controller (unless required to do so by Union or Member State law) Ensure that persons processing the data are subject to a duty of confidence Take appropriate measures to ensure the security of processing Only engage sub-processors with the prior consent of the controller and under a written contract imposing on the sub-processor the same data protection obligations as set out in the contract between the controller and processor Assist the controller in allowing data subjects to exercise their rights under the GDPR Assist the controller in meeting its obligations re the security of processing; notification of personal data breaches; and data protection impact assessments Delete or return all personal data to the controller as requested at the end of the contract Submit to audits and inspections Provide the controller with whatever information it needs to ensure that both the controller and processor are meeting their Article 28 obligations Tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state LOEB & LOEB LLP

11 Data Processing Agreements Best Practice. Contracts should: State that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR Reflect any indemnity that has been agreed upon by the parties Nice to Have. The contract may reflect that under GDPR, the processor must: Keep records of its processing activities in accordance with Article 30.2 Cooperate with supervisory authorities in accordance with Article 31 Employ a data protection officer if required in accordance with Article 37 Appoint (in writing) a representative within the European Union if required in accordance with Article LOEB & LOEB LLP

12 Security Measures Processors must have appropriate technical and organizational measures in place Clients may try to impose specific security standards either in the data processing agreement or the scope of work Understanding the specific standards will help provide certainty regarding the costs of compliance LOEB & LOEB LLP

13 Sub processor Approvals Articles 28(2) & (4) of the GDPR state that a processor may not engage another sub-processor without the prior specific or general authorization of the controller Try to get a general authorization; however, the client will expect to have the right to object to the appointment of new sub processor Where the parties are unable to agree, the agency should obtain a right to terminate the relevant part of the services or the whole agreement Alternatively, consider excluding liability for that part of the services we cannot provide due to the objection to a sub processor Consider whether the subcontractor clauses in the underlying agreement may be sufficient to address this issue LOEB & LOEB LLP

14 The Cost of Cooperation Consider the costs of cooperation and how to build these into the agreement LOEB & LOEB LLP

15 MSA Implications: Defining the Scope of Work Article 28(3) states that a contract must stipulate the following: subject matter and duration of the processing; nature and purpose of the processing; the type of personal data being processed; the categories of data subject; and obligations and rights of the controller These details should be set-out in a services schedule or scope of work LOEB & LOEB LLP

16 MSA Implications: Compliance with Laws There is no requirement to ensure that the controller complies with applicable law However, as processors have direct liability under the GDPR, an agency should get comfort that the client is compliant with applicable law, that they have the right to share any personal data with the agency, and the scope of the consent is broad enough to permit them to use any personal information provided for the services Consider requiring an indemnity for this although the client may seek to make this obligation mutual LOEB & LOEB LLP

17 MSA Implications: Limitations and Exclusions of Liability Consider whether the obligations of a data processing agreement will fall under the limitation (if any) on liability In light of the potential fees, (i.e. 4% of worldwide turnover), anticipate push back here clients may seek a higher cap or unlimited liability LOEB & LOEB LLP

18 Audit Rights The GDPR requires an audit right, but the audit clause in the underlying agreement may be sufficient Consider whether the client will accept self-auditing or a third party certification in lieu of an on-site audit The client should bear the cost of any audit LOEB & LOEB LLP

19 QUESTIONS? LOEB & LOEB LLP