Complying with the EU General Data Protection Regulation ... · 4/24/2018 · 7) Assist in Data Protection Impact Assessment 7) Assist in Data Protection Impact Assessment Article

_____________________________ PROGRAM MATERIALS Program #2819 April 24, 2018

Complying with the EU General Data Protection Regulation (GDPR): Third Party Vendor Management Programs

Copyright ©2018 by David A. Zetoony, Esq., Bryan Cave

LLP; Christopher M. Achatz, Esq., Bryan Cave LLP. All Rights Reserved. Licensed to Celesq®, Inc.

________________________________________________________________________

Celesq® AttorneysEd Center

www.celesq.com

5301 North Federal Highway, Suite 180, Boca Raton, FL 33487 Phone 561-241-1919 Fax 561-241-1969

http://www.celesq.com/

1 1

Complying With The EU GDPR

Bryan Cave Data Privacy and Security Team

2

Overview: GDPR

Module 1. Information Notices / Privacy Policies

Module 2. Conducting Data Inventories

Module 3. Data Subject Requests

Module 4. Incident Response Plans

Module 5. Third Party Vendor Management Programs

Module 6. Cross Border Transfers

Agenda

3

Overview

4

• The EU Data Protection Directive (EC/46/95)

– Enacted in 1995

– Creates a standard legal framework for

EU member states.

– It was not a self-implemented statute, regulation, or rule.

– In US legal parlance, it was akin to an unfunded federal

mandate.

– There were 28 state implementing statutes in various

languages, with various texts, and with various requirements.

– There is an advisory body (the Article 29

Working Party) that provided interpretative guidance.

Overview: Historical background

5

The General Data Protection Regulation (EU) 2016/679

• Replaces the EU Data Protection Directive.

• Enters into force on May 2016,

• Applies beginning May 2018,

• Directly applicable in all EU Member States,

• Aims to unify data protection law within the European Union and

increases data subject’s rights,

• Still authorizes individual EU Member States to implement more

specific rules in certain areas.

Overview: GDPR

6

The Countdown

Overview: GDPR

7

Overview: GDPR 10 Top Talked About

Provisions

1. Penalties. Under Directive functionally non-existent; under Directive

up to 4% of revenue.

2. Floor not ceiling. Member states can enact additional safeguards in

certain areas, including research.

3. Extraterritorial. Purports to impact “establishments” in the EU and

other organizations that monitor behavior of EU data subjects or offer

services to EU data subjects

4. Breach Notification. Adopts new breach notification obligations.

5. Children. Adopts US-like protections concerning collection of data

from children.

6. Right to be Forgotten. Grants data subjects a right to have their

information erased.

7. Right to Data Portability. Grants data subjects a right to ask for their

information.

8. Data Protection Officers. Requires some organizations to designate

data protection officers.

9. Data Privacy Impact Assessments. Requires organizations to create

internal records concerning impact of high-risk processing.

10. Data Minimization. Requires that personal data be kept for no longer

than is necessary.

8

Overview: Core Requirements

Requirements differ depending upon whether you are a “Data Controller” or a

“Data Processor.”

• A “Data Controller” is defined as the entity which “determines the purposes

and means of the processing of personal data.” GDPR, Art. 4(7).

• A “Data Processor” is defined as an entity “which processes personal data on

behalf of the controller.” GDPR, Art. 4(8).

9

Overview: Core Requirements

10

Overview: Ability to Process Data

11

Overview: Individual Rights

12

Overview: Accountability / Governance

13

Overview: Data Security

14

Overview: Transferring Data Outside

EEA

15

Overview: Service Providers

16

Overview: Operationalizing the GDPR –

Top 10 Core Documents

17

Overview: GDPR

Module 1. Information Notices / Privacy Policies

Module 2. Conducting Data Inventories

Module 3. Data Subject Requests

Module 4. Incident Response Plans

Module 5. Third Party Vendor Management Programs

Module 6. Cross Border Transfers

Agenda

18

Overview: Service Providers

19

Outline:

– Processing Requirements between Controller and Processor

• Practice Pointers for Controllers and Processors

– Processor Liability

– Comparison against Controller/Processor Model Clause

– Comparison against Privacy Shield

– Practice Pointers

Module 5: Vendor Management

20

Module 5: Processing Requirements

Article 28(1)

Processing Requirements

“Where processing is to be carried out on behalf of a controller, the controller

shall use only processors providing sufficient guarantees to implement

appropriate technical and organizational measures in such a manner that

processing will meet the requirements of this Regulation and ensure the

protection of the rights of the data subject.”

Article 28(3)

Processing Requirements

“Processing by a processor shall be governed by a contract or other legal act

under Union or Member State law that is binding on the Processor with regard

to the controller . . . .”

21

• Description of Subject Matter and Duration

• Description of Nature and Purpose

• Description of Type of Personal Data

• Description of Categories of Data Subjects


1) Subject Matter/Purpose/Type of

Data/Categories of Data Subjects

1) Subject Matter/Purpose/Type of Data/Categories of Data Subjects

Article 28(3)

“Processing by a processor shall be governed by a contract or other legal act

under Union or Member State law that is binding on the Processor with regard

to the controller and that sets out the subject-matter and duration of the

processing, the nature and purpose of the processing, the type of personal

data and categories of data subjects and the obligations and rights of the

controller.”

22

• Controller Practice Pointer: – Controller still has wide latitude to determine processing.

– Processor cannot abdicate its responsibility under the GDPR

• Processor Practice Pointer: – Processor may request that Controller warrant that it has obtained all

necessary rights and consents in order for processor to fulfil its obligations.


2) Documented Instructions


Article 28(3)(a)

“processes the personal data only on documented instructions from the

controller, including with regard to transfers of personal data to a third country

or an international organization, unless required to do so by Union or Member

State law to which the processor is subject; in such a case, the processor shall

inform the controller of that legal requirement before processing, unless that

law prohibits such information on important grounds of public interest"

23

• Controller Practice Pointer:

– Clearly applies to processors employees, and likely extents to a subprocessor and its employees (and subject to the records requirements of Article 28(3)(h)).

• Processor Practice Pointer:

– Likely to already be covered, at least in part, under another agreement between controller and processor.


3) Confidentiality

3) Confidentiality

Article 28(3)(b)

“ensure that persons authorized to process the personal data have committed

themselves to confidentiality or are under an appropriate statutory obligation of

confidentiality"

24

• Controller Practice Pointer: – There is a lot in Article 32, including references to encryption,

pseudonymization, confidentiality, integrity, availability, restoration of data, security program testing, regular evaluations, and terms related to a personal data breach.

• Processor Practice Pointer: – Appropriate technical and organizational measures is a broad standard

without much guidance.


4) Processor Security


Article 28(3)(c)

“takes all measures required pursuant to Article 32 [Security of Processing –

processor shall implement appropriate technical and organizational measures]"

25

• Controller Practice Pointer: – Open-ended specific written authorisation.

• Processor Practice Pointer: – General authorization, with limits on how a controller can object,

which may end in termination. May request consent to list of subprocessors in agreement.


5) Subprocessors – Part 1

5) Subprocessors

Article 28(3)(d) => Article 28(2)

“The processor shall not engage another processor without prior specific or

general written authorisation of the controller. In the case of general written

authorization, the processor shall inform the controller of any intended changes

concerning the addition or replacement of other processors, thereby giving the

controller the opportunity to object to such changes."

26


– Request third-party beneficiary rights.

– Fully liable, not simply responsible.


– Maintain role as intermediary between controller and subprocessor.


5) Subprocessors – Part 2

5) Subprocessors

Article 28(3)(d) => Article 28(4)

“Where a processor engages another processor for carrying out specific processing

activities on behalf of the controller, the same data protection obligations as set out

in the contract or other legal act between the controller and processor as referred

to in paragraph 3 shall be imposed on that other processor by way of a contract or

other legal act under Union or Member law, in particular providing sufficient guarantees

to implement appropriate technical and organisational measures in such a manner that

the processing will meet the requirements of this Regulation. Where that other processor

fails to fulfil its data protection obligations, the initial processor shall remain fully liable

to the controller for the performance of that other processor’s obligations.”

27


– Processor is to receive, refer, and act on data subject requests at discretion of controller.


– Refer only, in accordance with processor’s standard practice.

– Ability to charge for time and materials.


6) Data Subject Rights


Article 28(3)(e)

“taking into account the nature of the processing, assists the controller by

appropriate technical and organisational measures, insofar as this is possible,

for the fulfilment of the controller’s obligation to respond to requests for

exercising the data subject’s rights laid down in Chapter III [Rights of the

Data Subject]"

28


– Require cybersecurity audit report.


– Simply implement the measure already required by Article 28(3)(c) –

Processor Security, with ability to charge for time and materials for

anything additional.


7) Assist in Controller Security


Article 28(3)(f)

“assist the controller in ensuring compliance with the obligations

pursuant to Articles 32 to 36 [32 – Security of Processing] taking into

account the nature of processing and the information available to the

processor"

29


– Notice (“promptly” = <72 hours) and reasonable cooperation, ability

to direct response, and indemnity.


– Notice (“promptly” = >72 hours) and reasonable cooperation.


7) Assist in Personal Data Breach


Article 28(3)(f)


pursuant to Articles 32 to 36 [33 & 34 – Personal Data Breach] taking into

account the nature of processing and the information available to the

processor"

30


– Ability to control flow of information and coordination.


– Reasonable coordination, with ability to charge for

time and materials.


7) Assist in Data Protection Impact Assessment

7) Assist in Data Protection Impact Assessment

Article 28(3)(f)


pursuant to Articles 32 to 36 [35 & 36 – DPIA/Supervisory Authority] taking

into account the nature of processing and the information available to the

processor"

31


– Delete or return upon request, and with instructions.


– Rely on confidentiality provision of base agreement.

– Implement tools to allow controller to handle itself.


8) Return or Delete Personal Data


Article 28(3)(g)

“at the choice of the choice of the controller, deletes or returns all the

personal data to the controller after the end of the provision of services relating

to processing, and deletes existing copies unless Union or Member State Law

requires storage of the personal data"

32

• Controller Practice Pointer: – Records, audits, and inspections, with controls mandated by controller.

– Subprocessor contracts and processing subject to audit.

• Processor Practice Pointer: – Review or control of independent audit report.

– Controls mandated by processor.

– Ability to charge for time and materials to comply.


9) Records and Audit


Article 28(3)(h)

“makes available to the controller all information necessary to

demonstrate compliance with the obligations laid down in this Article and

allow for and contribute to audits, including inspections, conducted by the

controller or another auditor mandated by the controller."

33


– Processor shall comply with all instructions with regard to international

data transfers.


– Processor has pre-signed Controller-Processor SCC.


10) International Data Transfer

9) International Data Transfer

Article 46(1)

“a controller and processor may transfer personal data to a third country or

an international organisation only if the controller or processor has provided

appropriate safeguards, and on a condition that enforceable data subject

rights and effective legal remedies for data subjects are available.”

34

1) Subject Matter/ Purpose/ Type of Data/ Categories of Data Subjects


3) Confidentiality


5) Subprocessors


Top Ten Operational Requirements.


7) Assist the Controller in Controller Security/Personal Data Breach/DPIA



10)International Data Transfer

35

Module 5: Processor Liability

1. Expressly Unlimited

“Notwithstanding anything to the contrary in the Principal Agreement, Vendor's liability for any breach of this Addendum shall be unlimited”

2. Fully Liable language

“Service Provider shall remain fully liable to the Company for its performance, and the performance of any subprocessors.”

3. Fully Liable Language (added to Subprocessing section)

Integrating an indirect reference to full liability within the subprocessing section (where it is least likely to be recognized or objected to. For example, “In addition to being fully liable to Company for its own obligations under this Addendum, Vendor shall remain fully liable for any

failure by each Subprocessor to fulfill its obligations in relation to the Processing of any Company Personal Data.”

4. Carveout for Fully Liable for Personal Data Breach and/or Data Security Measures

“Any damages, costs, or fines arising from this [Personal Data Breach/Data Security measures] Section supersede, and are not limited by, any limitations of liability provided in the Agreement.”

5. No Reference in DPA, but DPA set up as a stand-alone agreement

6. Liability Cap but No Indemnification Cap

“The total combined liability of either Party and its Affiliates toward the other Party and its Affiliates for damages under or in connection with this Addendum will be limited to the Agreed Liability Cap for the relevant Party. Notwithstanding any limitation on liability, however, Service Provider will indemnify and defend Controller in relation to any third party claim that relates to, or arises from, a breach of Service Provider’s

obligations under this Addendum. “

7. No Reference in DPA, but DPA set up to Amendment to Underlying Agreement

8. Capped At Underlying Agreement

The total combined liability of either Party and its Affiliates towards the other Party and its Affiliates under or in connection with this Addendum will be limited to the agreed liability cap in the Principal Agreement. Drafting note: Only include if required, otherwise rely on

caps in Principal Agreement.

9. Additional Indemnity from Controller for Controller Instructions

“Controller shall indemnify and defend Processor in connection with any processing carried out by Processor of a Subprocessor pursuant to any instruction of Controller that infringes any Data Protection Laws.”

36

Module 5: Comparison Against

Controller/Processor Model Clause (1)

GDPR Controller-Processor Contractual Clauses

Summary of Requirement Reference Requirement Satisfied by

Standard Clauses

Explanation

1. Description of Processing. The parties must

specify:

1. subject matter of processing.

2. duration of processing.

3. nature and purpose of processing.

4. type of personal data to be processed

5. categories of data subjects about which the

data relates.

Art. 23(3) Partial Gap Appendix 1 of the Standard Contractual Clause

describes (1) subject matter of processing, (2) nature

and purpose of processing, (3) type of personal data,

and (4) categories of data subjects.

The standard contractual clause, and the Appendix,

do not discuss the duration of processing.

2. Documented Instructions. A service provider can

only process personal data consistent with a

controller’s documented instructions.

Art. 28(3)(a) Satisfied. Clause 5(a) and (b) of the Standard Contractual

Clauses contain a requirement that processing can

only occur based on a controller’s instructions.

3. Confidentiality. It must contain a confidentiality

provision. That provision must ensure that persons

authorized to process personal data have

committed themselves to confidentiality.

Art. 28(3)(b). Gap The Standard Contractual Clauses do not contain a

representation by a data importer concerning

confidentiality.

4. Processor Security. Service provider will

implement appropriate technical and organizational

measures to secure information.

(c/p)

Art. 28(1)

Art. 28(3)(c)

Art. 32(1) (

Satisfied. Clause 5(c) of the Standard Contractual Clauses

requires the processor to agree to the security

provisions contained in Appendix II. Presuming that

Appendix II contains a description of appropriate

security there would be no gap.

37


Controller/Processor Model Clause (2)

GDPR Controller-Processor Contractual Clauses

Summary of Requirement Reference Requirement Satisfied

by Standard Clauses

Explanation

5. Subcontracting authorization. A service provider

must obtain written authorization before

subcontracting, and must inform the Company

before it makes any changes to its subcontractors.

(c/p)

Art. 28(2)

Art. 28(3)(d).

Satisfied. Clauses 5(h) and 11(1) of the Standard Contractual

Clauses requires that a processor notify the controller

before using a subprocessor, and obtain their prior

written consent.

6. Subcontracting flow down obligations. Service

provider will flow down these obligations to any

subprocessors.

(c/p)

Art. 28(3)(d) Art.

28(4)

Satisfied. Clause 11(1) of the Standard Contractual Clauses

requires that a processor flow down obligations to any

subprocessors.

7. Subcontracting liability. A service provider must

remain fully liable to the controller for the

performance of a sub-processors obligations..

Art. 28(3)(d)

Satisfied. Clause 11(1) of the Standard Contractual Clauses

requires that a processor remain fully liable for the

actions of its subprocessors.

8. Responding to data subjects. Service provider

will assist the Company to respond to any requests

by a data subject.

(c/p)

Art. 28(3)(e)

Art. 12 – 23

Partial Gap Clause 5(d)(iii) and clause 5(e) of the Standard

Contractual Clauses require that a subprocessor notify a

controller of a data subject request. The clauses do not

specifically discuss an obligation to cooperate in

responding to such request.

38


Controller/Processor Model Clause (3) GDPR Controller-Processor Contractual Clauses


by Standard Clauses

Explanation

9. Assisting Controller In Responding to Data Breach.

Service provider will cooperate with controller in the

event of a personal data breach.

Art. 28(3)(f) Art.

33 – 34

Gap Clause 5(d)(ii) requires that a processor notify a

controller concerning a subset of what the GDPR defines

as a “data breach.” It does not comply with the GDPR’s

timing requirements. It also does not discuss obligations

to cooperate in investigations and response.

10. Assisting Controller In Creating DPIA. Service

provider will cooperate with controller in the event

the controller initiates a data protection impact

assessment.

Art. 28(3)(f)

Art. 35)

Art. 35-36

Gap The Standard Contractual Clauses do not discuss the

obligation of a processor to participate in DPIA’s

conducted by a controller.

11. Delete or return data. Service provider will delete

or return data at the end of the engagement.

(c/p)

Art. 28(3)(g) Satisfied. Clause 12(1) of the Standard Contractual Clauses

requires a processor to delete or return data upon

termination of an agreement.

12. Audit Right. Service provider will allow Company

to conduct audits or inspections for compliance to

these obligations.

(c/p)

Art. 28(3)(h). Partial Clauses 5(f) and 12(2) of the Standard Contractual

Clauses refer to the ability of the controller to audit or

inspect the processor for compliance with the

requirements of the clauses; as the clauses do not

include all of the requirements of the GDPR the audit

provision is technically narrower than is required under

GDPR.

13. Cross-border transfers. Service provider will not

transfer data outside of the EEA without permission

of Company.

(c/p)

Art. 28(3)(a)

Art. 46

Partial The Standard Contractual Clauses permit the transfer of

data from the controller to a processor that is not based

in the EU. The clauses do not discuss whether the

processor is permitted to engage in onward transfers to

additional countries outside of het EEA.

39

Module 5: Comparison Against Privacy

Shield (1) GDPR Privacy Shield


by Privacy Shield

Explanation

1. Description of Processing. The parties must

specify:

1. subject matter of processing.

2. duration of processing.

3. nature and purpose of processing.

4. type of personal data to be processed

5. categories of data subjects about which the

data relates.

Art. 23(3) Gap Privacy Shield registration does not in of itself specify the

type of personal data processed, the categories of data

subjects involved, or the scope of permissible processing.

2. Documented Instructions. A service provider can

only process personal data consistent with a

controllers documented instructions.

Art. 28(3)(a) Gap Privacy Shield recognizes that a controller in the EU is

“always required to enter into a contract when a transfer

for mere processing is made . . . whether or not the

processor participates in the Privacy Shield, and that the

purpose of the contract is to “make sure that the processor

acts only on instructions from the controller.”

3. Confidentiality. It must contain a confidentiality

provision. That provision must ensure that persons

authorized to process personal data have committed

themselves to confidentiality.

Art. 28(3)(b). Partial Gap The purpose limitation contained in Privacy Shield

Principle 5(a) might be interpreted as precluding a service

provider from disclosing personal data, as such disclosure

would presumably be “incompatible with the purposes for

which [the data] has been collected . . . .”

4. Processor Security. Service provider will

implement appropriate technical and organizational

measures to secure information.

Art. 28(1)

Art. 28(3)(c)

Art. 32(1) (

Satisfied Privacy Shield requires that “Organizations creating,

maintaining, using or disseminating personal

information must take reasonable and appropriate

measures to protect it from loss, misuse and

unauthorized access, disclosure, alteration and

destruction, taking into due account the risks involved

in the processing and the nature of the personal data.

40


Shield (2)

GDPR Privacy Shield


by Privacy Shield

Explanation

5. Subcontracting authorization. A service

provider must obtain written authorization before

subcontracting, and must inform the Company

before it makes any changes to its

subcontractors.

Art. 28(2)

Art. 28(3)(d).

No. Privacy Shield requires that a registrant ensure that its

service providers only use information for “limited and

specified purposes.” It does not, however, require that a

registrant that is acting as a processor obtain the consent of

the controller prior to the use of a subcontractor.

6. Subcontracting flow down obligations. Service

provider will flow down these obligations to any

subprocessors.

Art. 28(3)(d) Art.

28(4)

Partial Gap While Privacy Shield does have some flow down

obligations, as not all of the provisions that must be placed

in contracts by GDPR are inherent in Privacy Shield, flow

down provisions created by Privacy Shield do not cover the

full scope of the flow down obligations in GDPR.

7. Subcontracting liability. A service provider

must remain fully liable to the controller for the

performance of a sub-processors obligations.

Art. 28(3)(d)

Partial Gap The Privacy Shield references that an organization remains

“liable under the Principles if its agent processes such

personal information in a manner inconsistent with the

Principles unless the organization proves that it is not

responsible for the event giving rise to the damage.” It

is not clear whether the exception to liability in Privacy

Shield is consistent with the liability provisions in the

GDPR.

8. Responding to data subjects. Service provider

will assist the Company to respond to any

requests by a data subject.

Art. 28(3)(e)

Art. 12 – 23

Partial Gap Privacy Shield requires that a service provider grant

access, rectification, and deletion requests to a data

subject. This may be at odds with GDPR which requires

that a service provider cooperate with the controller, but

permit the controller to respond to such requests.

41


Shield (3)

GDPR Privacy Shield


by Privacy Shield

Explanation

9. Assisting Controller In Responding to Data

Breach. Service provider will cooperate with

controller in the event of a personal data breach.

Art. 28(3)(f) Art. 33

– 34

Gap Privacy Shield does not discuss the obligation of a service

provider to cooperate with a controller in the event of a

personal data breach.

10. Assisting Controller In Creating DPIA. Service

provider will cooperate with controller in the event

the controller initiates a data protection impact

assessment.

Art. 28(3)(f)

Art. 35)

Art. 35-36

Gap Privacy Shield does not discuss the obligation of a service

provider to cooperate with a controller to conduct a DPIA.

11. Delete or return data. Service provider will

delete or return data at the end of the engagement.

Art. 28(3)(g) Partial Gap Privacy Shield prohibits maintaining information in an

identifiable manner after it has served its permissible

purpose. Note, however, that it does not mandate that

the personal data be deleted or returned at the election of

the controller.

12. Audit Right. Service provider will allow

Company to conduct audits or inspections for

compliance to these obligations.

Art. 28(3)(h). Gap Privacy Shield requires that the registrant conduct their

own audits of their internal privacy practices; it does not

guarantee that a controller has audit rights vis-à-vis a

processor.

13. Cross-border transfers. Service provider will not

transfer data outside of the EEA without permission

of Company.

Art. 28(3)(a)

Art. 46

Gap Privacy Shield does not prohibit a service provider from

doing an onward transfer to a Subprocessor that is

located outside of the EEA (or outside of the US).

42

Module 5: Practice Pointers

• Are all service providers considered to be “processors”?

• Is it the responsibility of the Controller or the Processor

to enter into a Data Processing Addendum?

• What if the Controller and Processor never sign a Data

Processing Addendum?

• Should the Controller or Processor proactively come out

with a Data Processing Addendum?

• Should the Controller or Processor proactively come out

with a pre-signed Controller/Processor Model Clause?

43

Module 5: Biography

David Zetoony

Partner

Chair, Data Privacy & Security Team

Bryan Cave LLP

Washington, D.C. / Boulder, Colorado

202 508 6030

[email protected]

David Zetoony is the leader of the firm's global data privacy and security

practice. He has extensive experience advising clients on how to comply with

state and federal privacy, security, and advertising laws, representing clients

before the Federal Trade Commission, and defending national class actions.

He has assisted hundreds of companies in responding to data security

incidents and breaches, and has represented human resource management

companies, financial institutions, facial recognition companies, and consumer

tracking companies before the Federal Trade Commission on issues involving

data security and data privacy.

43

44

Module 5: Biography

Chris Achatz

Associate

CIPP/US

Bryan Cave LLP

Boulder, Colorado

303-417-8544

[email protected]

Chris Achatz is an Associate with the Data Privacy and Security team at Bryan

Cave. Achatz’s data privacy and security practice involves advising his clients

on industry-specific regulations and standards that govern the responsible use,

collection and management of their customers’ personal information. His

experience also includes developing company policies and drafting and

implementing privacy- and security-related compliance strategies and

programs. He is a certified information privacy professional and former in-

house counsel for a leading data and analytics company.

44