fbpx

Download free GDPR compliance checklist!

Tag Archives for " data processors "

European Commission Publishes Draft ‘Article 28’ Standard Contractual Clauses

In addition to issuing new (draft) standard contractual clauses for transferring personal data outside of the EEA, on November 12, the European Commission published a draft decision on standard contractual clauses between controllers and processors for the matters referred to in Article 28 of GDPR.

Use of the Clauses is not compulsory, and controllers and processors may still choose to negotiate individual contracts to satisfy the requirements of Article 28 GDPR and allow a certain degree of flexibility.

The Clauses are currently open for public consultation until 10 December 2020.

Source: European Commission Publishes Draft ‘Article 28’ Standard Contractual Clauses | Alston & Bird Privacy Blog

Security Incident Mitigation Strategy: Effective Negotiation of Technology Contract Limitations of Liability

There is always significant negotiation around caps on liability when negotiating a contract with a technology vendor. If the vendor will have access to the personal information of its customers’ end users (regardless of whether the end users are employees or customers), treatment on caps on liability take on heightened importance.

Given the findings in the 2019 Data Security Incident Report (“DSIR”), what rule of thumb or general guidance exists to guide decision-making regarding acceptable financial risk allocation?

Full article: Deeper Dive: Security Incident Mitigation Strategy: Effective Negotiation of Technology Contract Limitations of Liability

Dutch SA initiates exploratory investigation into DPAs

The Dutch Supervisory Authority (Autoriteit Persoonsgegevens, “AP”) recently communicated a press release stating that it reached out to 30 organizations to request information relating to their data processing agreements (DPAs).

Source: THE NETHERLANDS: Dutch SA initiates exploratory investigation into DPAs

Third-Party Vendor Management Means Managing Your Own Risk

When considering the termination of a vendor relationship, you must consider the vendor, the contract and the business impact. Although this article is aimed at the privacy considerations in terminating a vendor relationship, there are other considerations within a general business frame.

Full article: Third-Party Vendor Management Means Managing Your Own Risk: Chapter Nine

The road to GDPR certifications won’t be a short one

The EU General Data Protection Regulation has been in effect for five months, and yet there has not been much progress on the certification front. Companies are waiting to see what form certification will look like under Articles 42 and 43 of the GDPR, and tech vendors are coming out with solutions to help organizations display their GDPR compliance efforts in the interim.

While GDPR certifications have not yet appeared, plenty of regulatory bodies have come out with guidance on the subject. With all the guidance that’s emerged from global regulatory bodies, there remains controversy surrounding GDPR certifications. Under Article 42 of the GDPR, certification mechanisms will be issued to data controllers and processors.

Full article: The road to GDPR certifications won’t be a short one, it seems

GDPR: the ‘controller v processor’ debate in financial services

Lessons can be learned in the financial services sector from the rush to update contracts to account for the General Data Protection Regulation (GDPR) taking effect earlier this year. The GDPR spurred banks, insurers and other financial institutions to review their existing contracts, most notably their data processing agreements. There is a lot of confusion in this sector about the concepts of ‘controllers’ and ‘processors’ of personal data. Both controllers and processors have distinct obligations under the GDPR.

Full article: GDPR: the ‘controller v processor’ debate in financial services

Do you know your third-party providers well?

To maintain your compliance, you will have to track your third-party suppliers and how they handle any customer record data you pass over to them. These suppliers have to meet the same security and privacy standards as your internal team. However, it’s not enough to ask around this at the beginning of any relationship – you have to check that these standards remain in place over time too. Auditing your suppliers on a regular basis is therefore necessary.

Source: Do you know your third-party providers well?

Every vendor wants to be… a data controller?!

Closing data-related deals seemed so much simpler pre-GDPR, didn’t it? Remember the days when every enterprise customer was a controller and every vendor was a processor. Of course, in reality, not every vendor was a processor (controllership and processorship is a question of fact, you know!) – but, still, this was the basis upon which the great majority of data contracts were concluded.

Full article: Every vendor wants to be… a data controller?!

E-signatures can prove conclusion of data processing agreements

The use of electronic signatures (e-signatures) can prove that data processing contracts have been concluded and their terms agreed to, the EU’s justice commissioner has said. Věra Jourová said that it is possible for data processing contracts to be entered into digitally, but that it is not necessary for those agreements to be signed electronically for them to have effect.

Source: E-signatures can prove conclusion of data processing agreements

Should vendors be able to pass along costs of GDPR compliance?

What wasn’t obvious when EU General General Data Protection Regulation came into force, was that vendors would swiftly pass along their own GDPR-related compliance costs to existing customers. But it seems to be a trend privacy pros are increasingly seeing.

Read article: Should vendors be able to pass along costs of GDPR compliance?

1 2 3
>