My recent posts in this series have discussed best privacy practices for the hypothetical software company BizConnect. These practices have included:
a) drafting a GDPR compliant privacy policy; b) self-certifying under the Privacy Shield for transfers of EU personal data; c) adopting GDPR model clauses for transfers of EU personal data; d) deciding whether to conduct a DPIA and/or adopt a Code of Conduct; (e) discuss why BizConnect should draft an internal written data security plan, obtain SSAE-18 audit reports, and adopt a Business Continuity Plan and (f) consider whether it is necessary to appoint a DPO and compliance with Article 27 (data representative appointment.
This post focuses on contractual issues that BizConnect should consider in its transactional documents with its customers (as data controllers) under GDPR.
BizConnect is a small company and likely will receive the “paper” (read: contract) from its enterprise customers to document the SaaS deal including the customer’s form Data Processing Addendum (DPA). BizConnect needs to ensure that its customers are adequately indemnifying it for GDPR violations under their control. With respect to its vendors or subprocessors, it needs to ensure there is a process whereby it can change its subprocessors, and still be in compliance with GDPR.
Indemnification:
Where your company is acting as a data processor, it is desirable to have the data controller indemnify you for its own violations of the GDPR.
In the BizConnect example, BizConnect’s enterprise customers are acting as data controllers when they provide their employees personal data to the system. As data controllers, it is the enterprise customer who has a duty to ensure there is legal basis for the collection of that data. Since the data is not provided under a contract between BizTech’s enterprise customer and its employees, there needs to be another legal basis.
If BizConnect was collecting personal data from their customers they may be able to rely on either contract as a legal basis or consent.
Consent must be freely given, specific, informed, and unambiguous. There must be ability of data subject to withdraw consent at any time.
Since BizConnect’s enterprise customers are collecting their employees personal data they cannot rely on consent.
BizConnect’s enterprise customers are the data controllers who have the responsibility to collect the personal data using one of the lawful bases. They may rely on legitimate interests but will need to ensure that they have conducted the appropriate analysis.
So BizConnect wants to ensure that its enterprise customers are indemnifying it for any costs including regulatory fines (and attorneys’ fees) arising out of noncompliance with these rules.
Prior written consent to any new subprocessors:
BizConnect is a small company and many of its larger subprocessors have prepared Data Processing Addendums (DPAs) without ability to negotiate. The standard approach being taken by these large tech companies is to include a provision that its customers (such as BizTech) will receive 30 days prior notice to any additional subprocessors (from the list contained in the DPA). If the customer does not agree to that new subprocessor, they may cancel their agreement.
Does this satisfy the GDPR requirement? That remains to be seen.
Salesforce’s DPA includes a provision that customers have 10 days to object if they do not agree with the new subprocessor provided by Salesforce.
There is a process whereby the customer may terminate the affected services and receive a pro rata refund for unused affected services.