Standardizing data processing agreements globally
Transcript of Standardizing data processing agreements globally
Recorded August 3, 2021
Standardizing data processing agreements globallyA webinar for providers of information technology services and products, and their customers
Presenters
Lothar
DetermannPartner, Palo Alto
(Moderator)
Helena
EngfeldtPartner, San Francisco
Michaela
NebelPartner, Frankfurt
Flávia
RebelloPartner, São Paulo*
Kensaku
TakasePartner, Tokyo
* In cooperation with Trench, Rossi and Watanabe Advogados
Agenda1 The New EU Standard
Contractual Clauses: How to
Prepare
2 CCPA/CPRA, HIPAA, PCI,
Nevada, Virginia, Colorado
3 Brazil and the Americas
4 Japan and APAC
5 Global approach to
documentation
SCCs, processor instructions, adequacy assessments, response to requests
1
Overview
GDPR
Context
Predecessor
versions
Modules
a b c
European commission: New standard contractual clauses
"Extra-EU SCCs"/"Art. 46
SCCs"/Commission Decision
2021/914
“Intra-EU SCCs”/”Art. 28
SCCs”/Commission Decision
2021/915
Set out appropriate safeguards
pursuant to Art. 46 GDPR
Module C2P and P2P constitute
clauses pursuant to Art. 28 (7) GDPR
because they set out the rights and
obligations of controllers and
processors pursuant to Art. 28 (3) and
(4) GDPR
Fulfil the requirements for contracts
between controllers and processors in
Article 28(3) and (4) GDPR
Timeline
Publication of the new
SCCs in the Official
Journal of the EU
June 7, 2021
Only the new SCCs can
be concluded
September 27, 2021
The old SCCs do no
longer provide appropriate
safeguards
All old contracts and
new contracts must be
based on the new SCCs
December 28, 2022
June 27, 2021The new SCCs
entered into force
3-month "transition
period"
The old SCCs as
well as the new
SCCs can be
concluded
December 27, 2022Until then the old SCCs are
deemed to provide
appropriate safeguards,
provided that:
processing activities
remain unchanged, and
the transfer is subject to
appropriate safeguards
(see Schrems II).
Extended scope
Cloud Provider /
Auftragsverarbeiter
SubauftragsverarbeiterSubauftrags-
verarbeiter
Konzernmutter
Konzern-
gesellschaften
C2P SCCs
P2P SCCs
C2C SCCs
P2C SCCs
P2P SCCs
C2P SCCs
Parent Company
Affiliated
Companies
Sub-
processor
Sub-processor
Cloud Provider /
Processor
1. Modul ("C2C") 2. Modul ("C2P")
3. Modul ("P2P") 4. Modul ("P2C")
Controller Controller Controller Processor
Processor Processor Processor Controller
Threshold questions
When use int'l and
processor SCC?a Alternatives:b
i. Custom corporate
agreements
ii. Contracts with individuals
iii. Consent
iv. BCRs
Selection of open questions
Relation to Art. 28
GDPR contracts?
Does the effect of the SCCs
disappear if the SCCs differ
from the provisions of Art. 28
GDPR?
"One size fits all"
solution?
May the extra-EU SCCs also
be used for intra-EU
transfers?
Drafting?
Can parties sign off on only
one SCC document if multiple
modules apply?
Recital 7
Applicability only if the data
importer is not subject to the
GDPR?
Implementation process
a
b
c
d
e
Vendors
Intragroup
Customers
New vendors v.
existing vendors
Reactive v.
proactive
Align with
requirements for
other jurisdictions
Prepare for
updates
Implementation details
Completely
separate,
annexed, or
integrated in
commercial
agreements?
a
Hierarchy
and
modifications,
particularly
limitations of
liability
b
Multi-module
or separate
agreements?
c
Options in
modules:
processor
authorization,
choice of law
d
Annexes
e
Related requirements
Instructions Schrems 2
assessments
Subprocessor
list
a b c
Transfer impact assessment
Schrems II decision of the Court of Justice of the European Union, July 16, 2020
Art. 14 lit. b to lit. d of the new SCCs require to carry out and to document a Transfer
Impact Assessment and to make it available to the competent supervisory authority
on request
Recommendations 01/2020 on measures that supplement transfer tools to ensure
compliance with the EU level of protection of personal data of the European Data
Protection Board, final version dated June 18, 2021
Example Germany: Coordinated audit of international data transfers
Several data protection authorities in Germany reach(ed) out to "selected companies"
(without specifying them, e.g. their industry) via a questionnaire/questionnaires
Goal: Broad enforcement of the requirements of the Court of Justice of the European
Union in its Schrems II decision.
Questionnaires cover the following topics: Mailhosting, Websitehosting, Webtracking,
Applicant portals and intra-group data transfers
"If you have signed SCCs, have you done a thorough assessment (with the
recipients) of the legal system of the third country?"
"If you have concluded that the recipient can in fact guarantee compliance with
the contractual obligations under the SCCs: Please describe in detail your
reasons for this conclusion and provide appropriate evidence."
CCPA/CPRA, HIPAA, PCI, Nevada, Virginia, Colorado
2
Source:
https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Map.pdf
https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law.pdf
Name of Law or Standard Who law/standard applies to?
Are data processing/transfer terms
statutorily required? *Data security
terms are required under various laws
CCPA/CPRA (California) Entities that do business in CA and exceed one of three thresholds or
if parent/sub of an entity that meets requirements and the two use a
common brand (most companies worldwide)
No, but particular terms unique to CCPA
required for service provider/contractor
characterization.
Colorado Privacy Act Those who target CO residents and processes PI of 100K (true)
consumers or derives revenues/discount from sale of PI and
processes PI of 25K consumers (many B2C companies)
Yes, similar to Art. 28 GDPR.
Virginia Consumer Data
Protection Act
Those who target VA residents and processes PI of 100K (true)
consumers or derives 50% of revenues from sale of PI and processes
PI of 25K consumers (many B2C companies)
Yes, similar to Art. 28 GDPR.
Nevada's Senate Bill 220 Operators with some nexus to Nevada (e.g. commercial website
accessed by Nevada residents)
No, but terms can be beneficial to
document that PI is not sold.
HIPAA (US federal) Covered entities, Business Associates (e.g. healthcare providers and
their service providers)
Yes, particular terms unique to HIPAA are
required.
GLBA (US federal) Banks and other financial institutions Yes, (non prescriptive) confidentiality
terms required
PCI (standards, apply
globally)
Entities that store, process, and/or transmit cardholder data (e.g.
financial institutions and companies accepting credit cards for
payment)
No, but will be contractually required
through demands from card companies.
Brazil and the Americas
3
Adequacy
decision
Binding
corporate
rules
Brazilian
Model
clauses
Code of
Conduct or
Certification
International
Cooperation
Protect life
or physical
integrity of
data subject
Specific
consent
Contract
with data
subject,
legal
obligation or
enforcement
of rights
Brazil – LGPD transfer mechanisms
Brazil – LGPD transfer mechanisms
Uncertainty – All transfer mechanisms depend on
regulation to be issued by Brazilian Data Protection
Authority (ANPD), which are scheduled to be issued
only in the first semester of 2022.
ANPD indicated (informally) that it will regulate SCCs
first as they are easier and less burdensome. One of
the ANPD members indicated that the new EU SCCs
are too complex for Brazil, and that the authority will
aim for simpler clauses closer to the New Zealand or
Singapore models.
Regulations are different –
LatAm
Argentina – International data transfers are prohibited unless to countries with
adequacy decision (EEA ok, US not OK), or if the transfer relies on Argentinean
model clauses. EU SCCs are acceptable
Chile – no specific requirements
Colombia – International data transfers are prohibited, unless to countries with
adequacy decision (US and EEA OK), upon express consent of data subject, if
necessary for performance a contract with data subject or for public interest. When the
transfer takes place between a controller and a processor or between two processors
that follow the same privacy policy, it is called transmission. In any case all
transfers/transmissions need to be documented in a data sharing agreement
LatAm
Mexico – International data transfers must be consented by data subject in the Privacy
Notice, or will be allowed if it is an intra-group transfer, necessary for performance of a
contract with data subject, for compliance with legal obligation, enforcement of rights or
for public interest
Peru – International data transfers are allowed to countries with adequate levels of
protection (no list of safe countries has been yet issued), or by a written contract that
will guarantee the same level of protection. Express consent of data subject required,
except if necessary for performing a contract with data subject or public interest. EU
SCCs are acceptable
Uruguay – International data transfers are allowed for legitimate purposes or upon
consent of the data subject, and transfers are permitted to countries with an adequate
level of protection, or with contractual clauses that guarantee protection. EU SCCs are
acceptable. Intercompany transfers can rely on BCRs or Codes of Conducts registered
with the Authority
Japan and APAC
4
Japan
Data transfer agreements in APAC
Country Require SCC like agreement? Official templates like SCCs? Expressed support of SCC use?
Singapore No No Yes, with amendments
Australia No No No
Hong Kong No No No
Malaysia No No No
China Yes Yes, soon to come No way
Philippines Yes No No
South Korea No No No
New Zealand No No (model template only) No
EU and Japan mutual adequacy decision on January 23, 2019.
BUT transfers of personal data from EEA to Japan under the Adequacy Decision must also comply
with Supplementary Rules.
Global approach to documentation
5
Global approach to documentation
Unilateral standards to meet or exceed common
theme requirements
Vendor onboarding process to default to include
standards, SCCs, and HIPAA BAA unless company can
confirm particular requirements are not triggered
Infosec review for new vendors
Impact assessment for new vendors
Baker & McKenzie LLP is a member firm of Baker & McKenzie International, a global law firm with member law firms
around the world. In accordance with the common terminology used in professional service organisations, reference to a
"partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an
office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results
do not guarantee a similar outcome.
© 2021 Baker & McKenzie LLP
bakermckenzie.com