Contracts Flashcards
When do you need a DPA?
Whenever a data processor carries out any processing on your behalf, you need to have a written contract in place.
This means that you need a DPA, for example, when you use customer relationship management platforms (CRMs), customer data platforms (CDPs), analytics and many other types of tools designed to analyze user behavior.
According to the UK Information Commissioner’s Office:
Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.
The contract is important so that both parties understand their role in handling users’ personal data and their obligations arising from it. It ensures that the chain of responsibility is clear to each participant in the process.
This isn’t anything new. Signing this kind of document is required by many other data privacy regulations, including the British Data Protection Act and GDPR’s predecessor, the Data Protection Directive 95/46/EC.
That said, under GDPR the contract requirements are broader. They also help to demonstrate compliance of each party in case of an audit by data protection authorities.
GDPR imposes many obligations on those who want to collect and use personal data about users. One of the most important is DPAs with every party that has access to this data. A DPA or commissioned data processing clause is a legally binding document signed between the controller and the processor. It regulates the particularities of data processing, such as:
The scope and purpose of the processing
The relationship between these actors
The obligations of each party under the regulation
Does a DPA have to be a separate document?
There’s no legal restriction stipulating that a DPA can’t be a part of a regular contract between the processor and the controller. However, considering the complexity of the task, it’s good to create a separate document or annex to the main contract.
What should be included in a DPA?
GDPR gives some general guidance on what to include in a DPA. Based on the regulation, as well as our own experience and expertise, we’ve prepared a list of elements every data processing agreement should have.
1) General clauses
In this part of the contract you specify the terms used in the document. Among other things, you should define:
The subject of the agreement – typically that would be all activities related to the contractual relationship between partners.
The scope, nature and duration of data processing – how personal data will be used and which party will be responsible for compliance of the process. This liability typically rests with the data controller (you).
The subjects of data processing – whose data you want to process, e.g. children, banking clients, patients or simply website visitors. Data subjects can fall into more than one category.
Type of data you want to process – different categories of data you want to process. This could be e.g. technical characteristics of the browser, behavioral data on website activities or IP addresses.
Data storage – Although GDPR doesn’t forbid companies from storing users’ personal data outside the EU, it sets restrictions for these transfers (see: Chapter 5). The processor shouldn’t send data offshore without prior consent. If data is to be kept abroad, you need to describe how the data processor should handle it to match the protection standards set by GDPR. As the instructions should be detailed, it’s worth including them in a separate clause or even an annex to the contract.
Conditions of contract termination – Here you should state that all data about your users has to be removed from the processor’s databases after the termination of the contract. You should also detail when you have the right to terminate the agreement – for instance, if the processor fails to inform you about a data breach or makes unauthorized changes to data processing procedures.
A DPA shouldn’t leave any room for misinterpretation. To avoid gray areas, remember to:
1) Set the time frames in which the data processor must process data requests and within which the data processor has to inform you about a data breach
2) Disclose contact details of your data protection officer
3) Specify if and how often you plan to carry out audits on the processor and who will cover the expenses involved
That way you make sure that there are no weak links and the data processor knows exactly what you expect of them.
The provisions of this part of the contract should be
adapted to the specific needs of the organization and industry-relevant requirements.
Business Associate’s Agreement (BAA)
What is required to be in a baa?
The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate. Appropriate safeguards need to be established, ensuring that the business associate will prevent PHI disclosure outside of what is permitted in the contract.
What is a required document between a covered entity and a business associate?
A written contract between a covered entity and a business associate must: (1) establish the permitted and required uses and disclosures of protected health information by the business associate; (2) provide that the business associate will not use or further disclose the information other than as permitted or required ..
Do Employees Have to Sign a BAA?
Direct employees don’t have to sign a BAA. That’s because people who work for you are part of your organization and aren’t considered as business associates. That said, they still fall under HIPAA laws.
Who is not considered a business associate under HIPAA?
A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.
Is a BAA required between two covered entities?
Yes. If you hire another HIPAA-covered organization to create, maintain, receive, or transmit PHI on your organization’s behalf, then they are your business associate.
The HITECH Act and Omnibus Rule, business associates1 of covered entities must comply with most of the HIPAA Privacy and Security Rules applicable to covered entities or face penalties
of $100 to $50,000 per violation.
Among other things, covered entities and business associates must execute agreements whereby the business associate agrees to comply with certain Privacy and Security Rule provisions affecting protected health information (“PHI”). The Omnibus Rules requires most covered entities and business associates to review and update their business associate agreements (“BAAs”) by September 23, 2013.
The Omnibus Rules will also require covered entities to execute BAAs with certain entities that were not considered business associates in the past, including data storage companies and entities that provide data transmission services and require access to the data on a routine basis.
