Modern businesses collect and process personal information about their customers and employees for the benefit of their business – these benefits include identifying opportunities to enhance their products or services, streamlining operations, reducing costs or maximizing profits. Processing such data is often outsourced to a third-party data processing service provider. For example, third parties may be retained to perform payroll activities, store data in a centralized location, or send targeted advertisements to consumers.
Data protection agreements (DPAs) are vital instruments that form part of a service agreement. They allow the business (the data controller) to impose privacy obligations on the third-party service provider (the data processor). DPAs ensure compliance with privacy laws by creating obligations for the data processor to maintain the same level of data protection for the controller and the data subjects. DPAs can also be expanded to protect proprietary or confidential information of the business (not just personal information).
In this post we will look at the below-noted general clauses of a DPA and analyze how common boilerplate clauses are adapted and modified in the DPA context. The general clauses should take into account the purpose of the DPA and the sensitivity of data covered.
In this post, we will look at several key provisions in DPAs:
• Data processor obligations
• Applicable laws
• Insurance and indemnification
• Termination and data return
Data Processor Obligations
In principle, most obligations created by the DPA should apply to the data processors. The purpose of the DPA is to ensure the data controller’s obligations are transferred to the data processor, ensuring personal information is properly protected.
Common obligations imposed on data processors include:
• complying with all applicable privacy laws and regulations;
• only using the data in accordance with the data controller’s instructions;
• limiting data disclosure to those cases required to provide the required processing services to the data controller;
• not using the data for any other purposes, whether commercial or not; and
• maintaining appropriate security measures to protect the data.
Data controllers should ensure the data processor’s obligations are sufficient to protect the nature and sensitivity of the information being shared with the data processor.
Data controllers should know and control where the data processor may transfer, store or process their data, and understand how this may impact their privacy obligations.
Each jurisdiction may impose different obligations under its privacy laws, and data transferred to another jurisdiction may be accessible to the courts, law enforcement and national security authorities in that jurisdiction. The residence of data subjects also impacts obligations as some jurisdictions may impose particular obligations to notify data subjects of cross-border transfers involving their personal information.
These issues should be accounted for in the DPA and definitions of applicable laws should be broad enough to capture the laws of all jurisdictions where data may be processed and where the data subjects may reside.
Listing all applicable jurisdictions can allow the data controller to dictate which obligations the data processor must follow. Such lists also lessen ambiguity as to which obligations are transferred to the data processor, especially in the case of cross-border transfers of data and industry-specific privacy standards.
Indemnification and Insurance
Data controllers are responsible for ensuring compliance with privacy laws. Privacy breaches can result in obligations for the data controller to notify individuals and report to regulators, which come with significant costs. There may also be penalties imposed on the data controller for non-compliance with privacy laws, in addition to the reputational harm it may suffer following a privacy breach.
Data controllers should include provisions in the DPA protecting them from the costs and expenses they might otherwise incur following a data processor’s misuse, destruction, loss, or unlawful disclosure of data. The DPA should include provisions requiring the data processor to indemnify the data controller for any and all costs or expenses resulting from privacy breaches or security incidents caused by the data processor’s actions or inactions.
Data controllers should also consider the need to include insurance clauses in their DPAs, requiring data processors to purchase sufficient insurance to cover any potential claims. Parties should discuss the amount of insurance coverage, as well as what kinds of claims should be covered.
The costs incurred as a result of a security incident or privacy breach can be extensive and it is prudent for controllers to shelter themselves against bearing such costs due to data processors’ actions.
Termination and Data Return
Obligations under the DPAs should extend past the termination of the service agreement. Data and privacy protections should remain in place as long as the data processor retains the information, even if the actual data processing tasks have terminated. The protections should only terminate after the data has been returned or destroyed.
A return or destruction of data provision should lay out when the data processor is required to return or destroy the data, and whether there are any exceptions (for example, data contained in backups that the data processor may not be required to return or destroy due to technical constraints).
The data controller’s privacy law obligations do not expire with the end of a services agreement, and accordingly, neither should processors’ obligations under the DPA.
DPAs are increasingly important documents for agreements that require transferring data third-party service providers. Throughout the main provisions, controllers should ensure obligations flow predominantly towards the data processors, as a DPA is intended to transfer privacy obligations to third parties obtaining personal data.
Depending on the application and the sensitivity of the data, businesses can choose to broaden the definitions, provisions, and obligations in the DPA, and are encouraged to do so to create the highest level of data protection when processors use the confidential information.