Privacy Plus+

Privacy, Technology and Perspective

Privacy and Security Risk Management – Contractual Requirements.  Organizations increasingly rely on outsourcing to third-party service providers to maximize efficiencies and often minimize costs.  However, as organizations rely on service providers, risk management becomes critical, especially in relation to privacy and security where service providers perform critical personal data processing activities on behalf of an organization.  Due diligence, privacy and data protection risk assessments, contract terms, ongoing monitoring to enforce compliance are all important components of robust privacy and security risk management.

In this post, we focus narrowly on provisions you need to include in your contracts.  The following is a brief overview of what contracts with processors or service providers are required to include, under the GDPR, the CCPA and CPRA, the NY Shield Act, and the new VCDPA. 

GDPR – Data Processing Agreements

Article 28 of the European Union’s General Data Protection Regulation (GDPR) generally requires a written contract between a “controller” and “processor” of personal data belonging to residents of the European Economic Union.  Such contracts are required to govern the data processing, although sometimes a processor may be able to satisfy Article 28 through another “legal act.”   The contract must include details about the processing and certain specific clauses, such as the following:

The contract (or other legal act) must include the following details about the processing:

  • the subject-matter and duration of the processing;

  • the nature and purpose of the processing;

  • the type of personal data and categories of data subject; and

  • the controller’s obligations and rights.

Other specific terms or clauses must also be included:

  • Processing personal data only on the documented instructions of the controller;

  • Duty of confidentiality;

  • Appropriate security measures;

  • The use of sub-processors;

  • Data subjects’ rights;

  • Assisting the controller;

  • End-of-contract provisions; and

  • Audits and inspections.

The contract must also require the processor to take all security measures necessary to meet the requirements of Article 32 regarding the security of processing, including the placement of appropriate technical and organizational measures to ensure the security of personal data. These may include, as appropriate:

  • encryption and pseudonymization;

  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  • the ability to restore access to personal data in the event of an incident; and

  • processes for regularly testing and assessing the effectiveness of the measures.

Links to Articles 28 and 32 of the GDPR follow:

CCPA – Service Provider Contracts

The California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 – 1798.199) requires a written contract with any vendor who is acting as a “service provider.”  (Under the CCPA, a “service provider” is different from a “third party.” See Cal. Civ. Code § 1798.140(v) (defining “service provider”) and 1798.140(w) (defining “third party”).)

The CCPA requires that this written contract:

  • ·       prohibit the service provider receiving personal information from retaining, using, or disclosing it for any purpose other than the specific purpose of performing the services specified in the contract, or as otherwise permitted under the law (See Cal. Civ. Code § 1798.140(v));

  • ·       prohibit selling personal information and retaining, using, or disclosing the information outside of the direct business relationship between the parties (See Cal. Civ. Code § 1798.140(w)(2));

  • ·       contain a certification by the service provide that it understands the CCPA’s requirements. (Id.)

 You can read more about the CCPA by clicking on the following link to our previous post:

And a link to the relevant CCPA provision follows:

CPRA – Service Provider / Contractor / Third-Party Contracts

The California Consumer Privacy Rights Act of 2020 (CPRA) – which some call “CCPA 2.0” (because the CPRA is, quite literally, a redline of the text of the CCPA) – adds new contractual requirements to govern the sale, sharing, disclosure and receipt of personal information, requiring businesses to contract appropriately with not just “service providers,” but also with “contractors” and “third parties.”

CPRA augments the CCPA’s definition of service providers (§ 1798.140(ag)(1)) and third parties (§ 1798.140(ai)), and adds a definition for contractor (§ 1798.140(j)(1))). The contractual requirements placed on service providers, contractors and third-parties are almost identical.

Section 1798.100(d) requires a busines that collects a consumer’s personal information and sells it to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose must:

  • ·       specify that the personal information is sold or disclosed for limited purposes;

  • ·       require compliance with the CPRA;

  • ·       grant the business rights to take reasonable and appropriate steps to help to ensure that the personal Information is used in a manner consistent with its CPRA obligations;

  • ·       notify the business if it makes a determination that it can no longer meet its CPRA obligations;

  • ·       grant the business the right, upon notice, to take “reasonable and appropriate steps” to stop and remediate unauthorized use of personal information.

CPRA also requires additional contractual terms between a business and its service providers and contractors. Sections 1798.140(ag) and (j) respectively require that contracts with a service provider or contractor:

  • ·       prohibit the sale or sharing of personal information;

  • ·       prohibit the retention, use, or disclosure of the personal information for any purpose other than for the business purposes specified in the contract;

  • ·       prohibit combining personal information with PI from another person or collects from its own interaction with the consumer, with caveats;

  • ·       notify the business of the use of sub-processors;

  • ·       contractually bind sub-contractors to the same contract obligations.

The service provider contract may (subject to agreement with the business) permit the business to monitor the service provider’s compliance with the contract through measures such as ongoing manual reviews, automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.

A contract with a contractor must include a certification of understanding and compliance. 

You can read more about the CPRA (including its text) by clicking on the following link to our previous post:

VCDPA – Controller/Processor Terms

Under the newly enacted Virginia Consumer Data Protection Act (VCDPA), contracts are required between “controllers” and “processors” of personal data—here, Virginia residents.

Section 59.1-575 sets out the responsibilities of controllers and processors.  Subsection B specifically addresses the contractual requirements, stating that the contract must contain:

  • ·       instructions for processing data;

  • ·       the nature and purpose of processing;

  • ·       the type of data subject to processing;

  • ·       the duration of processing; and

  • ·       the rights and obligations of both parties.

The contract must also require that the processor shall:

  • ·       ensure that each person processing personal data is subject to a duty of confidentiality;

  • ·       delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

  • ·       make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the VCDPA upon the reasonable request of the controller;

  • ·       allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor or alternatively, arrange for a qualified and independent assessor to conduct an assessment and provide a report of such assessment to the controller;

  • ·       contractually bind sub-contractors to the same contract obligations.

You can read more about the VCDPA by clicking on the following link to our previous post:

A link to the text of the VCDPA follows:

New York SHIELD Act – Reasonable administrative safeguards, including contracts

The New York SHIELD Act requires reasonable administrative safeguards, including selection of service providers capable of maintaining safeguards and requiring by contract that those safeguards be implemented. 

While the SHIELD Act does not prescribe exactly what must be included in contracts, it is clear that privacy and data security terms must be included, and the statute gives numerous specific suggestions for others safeguards that those terms might require.

For more information about the SHIELD Act, you can read our previous post by clicking on the following link:

A link to the text of the SHIELD Act follows:  

A Final Note

Keep in mind two additional things: 

First, a number of states have introduced comprehensive state privacy legislation, so more prescriptive contractual requirements may be on the horizon.  In particular, keep your eyes on Washington, New York, Florida, Connecticut and Oklahoma. 

Second, this is by no means a complete statement of all that a third-party data-processing contract should contain. For example, don’t forget important terms like indemnification, limitations of liability, and insurance; and we haven’t covered terms relating to data security, data transfer, data retention and destruction, or incident notification. These additional terms will follow from the nature of the parties’ relationship and the nature of the data to be processed under the contract. 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.