Data Processing Agreements
Resources
Topics Covered
This section covers the following topics:
-
quick definition and explanation of a data processing agreement
-
jurisdictional stipulations for cross-border data transfers
-
understanding standard contractual clauses for meeting conditions of adequacy
-
restrictions against amending EU Model clauses
-
understanding three types of EU Model clauses and when to use each
Part 1: How is My Business Tracking Customer Data?
As you read this, your organisation may be the data controller or the data processor.
-
If you operate a subscriber service, and sell the service directly to your customers without an intermediary, your organisation is likely the data controller.
-
If your organisation helps other data controllers deliver their service, like MailChimp or Salesforce or Dropbox etc., your organisation may be the data processor. See the processing ecosystem diagram below.
In our example, when this fictitious German business saves a client record to Google’s G-Suite, the personal data associated with the application leaves Germany and crosses international borders into the United States, a violation of Regulation EU 2016/679. If discovered, this would result in a sizeable fine imposed upon the business, along with a suspension of data processing activity imposed by authorities and served to both Google and the German business.
Cross-border data transfers can also occur when employing other data services located outside of one’s jurisdiction. For instance, using MailChimp to send bulk emails also employs a service in the United States. This is also an example of an unauthorized cross-border data transfer, because personal data flows from the EU into a country without adequacy standing. But there’s a better way to accomplish these things by employing EU Model Clauses, also called Standard Contractual Clauses. This is covered next.
Part 2: Can I Amend the SCCs?
In a single word, no. SCCs must be adopted as they are templated; this is what permits the European Commission to preapprove them, neither by adding to the scope nor amending the existing scope. However, the parties may agree to the following information to be inserted into the form:
-
identification, location and contact information of the data exporter and data importer;
-
description of the activities relevant to the transfer by the data importer and receipt/processing by the data importer;
-
description of the data subjects (employees and customers);
-
categories of data subjects (identity data, performance, etc.);
-
special categories of data (medical data, financial data, criminal data, sexual orientation, etc.);
-
processing operations meaning the scope of why the data is being transferred to the data importer; and
-
the security measures the data importer agrees to employ to ensure adequate safeguards are in place to protect the personal and sensitive information transferred to the data importer.
The items above may be populated by the data importer and data exporter, but the core clauses of the SCCs may not be amended.
Standard Contractual Example
Part 3: What Happens Next?
Once you complete the SCC, whether its for Brazil, the European Union or another country requiring them, you need to determine if they’re required to be filed with a supervisory authority, or simply stored for reference should a supervisory authority conduct an audit. In some countries, such as Spain, a data transfer based on SCCs cannot proceed until approved by the local supervisory authority. Other countries such as France and Germany may not require filing with a supervisory authority unless sensitive information is involved.
If all you need is access to the European Commission SCCs, there are three versions; it’s important to understand the role of the recipient importing the personal data in order to choose the correct version.
The 2001 version of the original form of SCCs is still valid, although the 2004 version is more business friendly.
Employ the 2004 version if the importer acts as a parent company receiving affiliate personal data for independent decision-making and functions, which is somewhat viewed as a controller-to-controller relationship.
Employ the 2010 version when the importer uses the details on behalf of and as instructed by the exporter.
Is Anything Else Necessary?
Be sure to remember to comply with any other laws that may be relevant. SCCs only deal with the transfer of data, and the SCCs will likely need to accompany a Data Processing Agreement (DPA) that defines the instructions by which the importer may process data, including stating the lawful basis for processing and its proportionality to the need; otherwise, it will be an unlawful disclosure.
For assistance with Data Processing Agreements that should accompany an SCC, please see the DPA section of this site.
A Brief Recap Before You Leave
-
A cross-border transfer occurs when data moves between two different countries with varying regulations.
-
You need to know your risk and measure it before you can monitor improvement.
-
Risk is an asset in danger. To move assets away from danger you need an effective threat model.
-
Untreated risk is referred to as "inherent risk" and treated risk is referred to as "residual risk" or the risk that remains.
-
The goal isn't to completely remove all risk, as that's impossible. Your goal is to keep applying treatment until the risk is at an acceptable level according to your regulatory and contractual obligations.
